Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2021-45046

Public on 2021-12-14
Modified on 2023-01-18
Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, 9392{ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Severity
Critical
See what this means
CVSS v3 Base Score
9.0
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Core aws-kinesis-agent 2021-12-16 00:11 ALAS2-2021-1730
Amazon Linux 1 java-1.6.0-openjdk 2021-12-17 17:39 ALAS-2021-1553
Amazon Linux 1 java-1.7.0-openjdk 2021-12-17 17:39 ALAS-2021-1553
Amazon Linux 2 - Core java-1.7.0-openjdk 2021-12-17 18:12 ALAS2-2021-1731
Amazon Linux 2 - Corretto8 Extra java-1.8.0-amazon-corretto 2021-12-17 18:31 ALAS2CORRETTO8-2021-001
Amazon Linux 1 java-1.8.0-openjdk 2021-12-17 17:39 ALAS-2021-1553
Amazon Linux 2 - Core java-1.8.0-openjdk 2021-12-17 18:12 ALAS2-2021-1731
Amazon Linux 2 - Core java-11-amazon-corretto 2021-12-17 18:12 ALAS2-2021-1731
Amazon Linux 2 - Java-openjdk11 Extra java-11-openjdk 2021-12-17 18:40 ALAS2JAVA-OPENJDK11-2021-001
Amazon Linux 2 - Core java-17-amazon-corretto 2021-12-17 18:12 ALAS2-2021-1731

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 9.0 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD CVSSv3 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD CVSSv2 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P