What is CVE-2021-45046?

CVE-2021-45046 is a vulnerability in Apache Software Foundation Log4j, classified under Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection). Published 2021-12-14.

Is CVE-2021-45046 known to be exploited?

Yes. CVE-2021-45046 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2023-05-01), indicating it is being actively exploited. 348 public proof-of-concept repositories are indexed.

Log4Shell — Apache Software Foundation Log4j RCE

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configurati…

Vulnerability class: Log4Shell (CVE-2021-44228)

EPSS: 0.943 (100.0th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Log4j — versions Apache Log4j2

Weakness classification (CWE)

CWE-917 — Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection)

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2023-05-01. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2023-05-22.

Required action: Apply updates per vendor instructions.

Known ransomware campaign use: yes.

Public proof-of-concept exploits

References

psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 (x_refsource_CONFIRM)
www.oracle.com/security-alerts/alert-cve-2021-44228.html (x_refsource_CONFIRM)
www.cve.org/CVERecord (x_refsource_MISC)
[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack (mailing-list, x_refsource_MLIST)
logging.apache.org/log4j/2.x/security.html (x_refsource_CONFIRM)
VU#930724 (third-party-advisory, x_refsource_CERT-VN)
cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf (x_refsource_CONFIRM)
www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html (x_refsource_CONFIRM)
20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021 (vendor-advisory, x_refsource_CISCO)
[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2021-45046?: CVE-2021-45046 is a vulnerability in Apache Software Foundation Log4j, classified under Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection). Published 2021-12-14.
Is CVE-2021-45046 known to be exploited?: Yes. CVE-2021-45046 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2023-05-01), indicating it is being actively exploited. 348 public proof-of-concept repositories are indexed.