CVE-2021-45046 · threatengine.sh

Home/CVE/Apache Log4j2 Deserialization of Untrusted Data Vulnerability

CVE

CVE-2021-45046

Apache Log4j2 Deserialization of Untrusted Data Vulnerability

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

CRITICAL · CVSS 9 ⚠ CISA KEV EPSS 0.9434 Ransomware: known

Act now

Listed on CISA KEV (known exploited in the wild)
Linked to known ransomware campaigns
SSVC exploitation status: active
EPSS ≥ 0.50 - high probability of exploitation in the next 30 days
EPSS percentile: top 0% of all CVEs by exploitation likelihood
Public exploit or PoC is available
CVSS base score ≥ 7.0

Sigma rules10 YARA rules0

⬢

Required Remediation

Apply updates per vendor instructions.

◆

Threat Actors Linked

7

actorAndariel
actorAPT35
actorAPT40
actorAPT41
actorAquatic Panda
actorMuddyWater
Show all 7 actorsactorWizard Spider

⬡

Weakness Classification

CWE-917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CWE-917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

▤

Affected Products & Versions

42

apache log4j>= 2.0.1 and < 2.12.2
apache log4j>= 2.13.0 and < 2.16.0
apache log4jall versions
cvat computer vision annotation toolall versions
intel audio development kitall versions
intel datacenter managerall versions
intel genomics kernel libraryall versions
intel oneapiall versions
Show all 42 affected productsintel secure device onboardall versions
intel sensor solution firmware development kitall versions
intel system debuggerall versions
intel system studioall versions
siemens sppa-t3000 ses3000 firmwareall versions
siemens captial< 2019.1
siemens captialall versions
siemens comosall versions
siemens desigo cc advanced reportsall versions
siemens desigo cc info centerall versions
siemens e-car operation center< 2021-12-13
siemens energy engageall versions
siemens energyipall versions
siemens energyip prepayall versions
siemens gma-manager< 8.6.2j-398
siemens head-end system universal device integration systemall versions
siemens industrial edge managementall versions
siemens industrial edge management hub< 2021-12-13
siemens logo\! soft comfortall versions
siemens mendixall versions
siemens mindsphere< 2021-12-11
siemens navigator< 2021-12-13
siemens nxall versions
siemens opcenter intelligence<= 3.2
siemens operation scheduler<= 1.1.3
siemens sentron powermanagerall versions
siemens siguard dsaall versions
siemens sipass integratedall versions
siemens siveillance command<= 4.16.2.1
siemens siveillance control proall versions
siemens siveillance identityall versions
siemens siveillance vantageall versions
siemens siveillance viewpointall versions
siemens solid edge cam proall versions

▤

Affected Packages

2

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

Maven org.apache.logging.log4j:log4j-core CRITICAL fixed in 2.16.0

Maven org.ops4j.pax.logging:pax-logging-log4j2 CRITICAL fixed in 1.9.2

⚠

Public Exploits & PoCs

3

nucleiGoAnywhere Managed File Transfer - Remote Code Execution (Apache Log4j)critical
nucleiVMware vRealize Operations Tenant - JNDI Remote Code Execution (Apache Log4j)critical
nucleiApache Log4j2 - Remote Code Injectioncritical

◈

Detection Rules (IDS/IPS)

38

snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user

snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user

snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user

snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user

snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user

snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user

Show all 38 detection rulessnort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communityINDICATOR-COMPROMISE JNDI LDAP searchResEntry dynamic code download attempttrojan-activity
snort-communityPOLICY-OTHER Java User-Agent remote class download attemptpolicy-violation
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user
snort-communitySERVER-OTHER Apache Log4j logging remote code execution attemptattempted-user

Open rulesets (ET Open, Snort Community, abuse.ch) link to source. Commercial rulesets are reference-only.

◈

Sigma Hunt Rules

10

Exact rules name this CVE ID. Product rules name an affected product in their title. Related rules cover techniques used by actors who exploited this CVE. Showing the most relevant matches; the complete related set is on the full drill-down.

relatedcriticalBitbucket Unauthorized Full Data Export Triggered

relatedcriticalBitbucket Unauthorized Access To A Resource

relatedcriticalAntivirus Exploitation Framework Detection

relatedcriticalAntivirus Password Dumper Detection

relatedcriticalAntivirus Ransomware Detection

relatedcriticalLinux Reverse Shell Indicator

Show all 10 top matches

relatedcriticalWebshell Remote Command Execution

relatedcriticalPossible Coin Miner CPU Priority Param

relatedcriticalCobalt Strike DNS Beaconing

relatedcriticalBad Opsec Powershell Code Artifacts

See all related Sigma rules for this CVE

▣

Scoring & Timeline

9

CRITICAL · CVSS v3.1 · security@apache.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD14 Dec 2021 · 07:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC triage · cisa-vulnrichment

Exploitation

active

Automatable

no

Technical impact

total

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

30

rhsaRHSA-2025:1747Critical
rhsaRHSA-2025:1746Critical
suse-csafopenSUSE-SU-2024:11681-1
cisaKEV-CVE-2021-45046
rhsaRHSA-2022:1299Low
Show all 30 vendor advisoriesrhsaRHSA-2022:1297Low
rhsaRHSA-2022:1296Low
rhsaRHSA-2022:0431Moderate
rhsaRHSA-2022:0205Moderate
rhsaRHSA-2022:0216Low
rhsaRHSA-2022:0203Critical
rhsaRHSA-2022:0223Moderate
rhsaRHSA-2022:0222Moderate
rhsaRHSA-2022:0083Moderate
rhsaRHSA-2022:0138Moderate
siemens-csafSSA-479842
suse-csafopenSUSE-SU-2021:1601-1
siemens-csafSSA-397453
rhsaRHSA-2021:5141Critical
rhsaRHSA-2021:5106Critical
rhsaRHSA-2021:5107Critical
suse-csafopenSUSE-SU-2021:4107-1
siemens-csafSSA-714170
rhsaRHSA-2021:5186Critical
rhsaRHSA-2021:5184Critical
rhsaRHSA-2021:5183Critical
usnUSN-5197-1
rhsaRHSA-2021:5148Critical
suse-csafopenSUSE-SU-2021:4094-1
rhsaRHSA-2021:5094Moderate

🔗

References & Sources

21

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://www.openwall.com/lists/oss-security/2021/12/14/4Mailing ListMitigationThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/12/15/3Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2021/12/18/1Mailing ListThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdfThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdfThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdfThird Party Advisory

Show all 21 references

https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdfThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/Mailing ListRelease Notes

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/Mailing ListRelease Notes

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032Third Party Advisory

https://security.gentoo.org/glsa/202310-16Third Party Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdThird Party Advisory

https://www.cve.org/CVERecord?id=CVE-2021-44228Not Applicable

https://www.debian.org/security/2021/dsa-5022Third Party Advisory

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.htmlThird Party Advisory

https://www.kb.cert.org/vuls/id/930724Third Party AdvisoryUS Government Resource

https://www.oracle.com/security-alerts/alert-cve-2021-44228.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046US Government Resource

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin