Wednesday, December 15, 2021

Apache Log4j Core: CVE-2021-45046: Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

Description
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as setting the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.
Solution(s)
  • apache-log4j-core-upgrade-2_16


  • References
  • https://attackerkb.com/topics/cve-2021-40546
  • CVE - 2021-40546




  •  

    Copyright © 2021 Vulnerability Database | Cyber Details™

    thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore