External risk intelligence

Apache Log4j Remote Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2021-45046

A vulnerability in Apache Log4j affects systems using specific non-default configurations. Attackers can leverage this to gain unauthorized access and execute code, posing a significant business risk.

5Halo Surface Signal

Remote Code Execution

Apache Log4j

2.0.1 to before 2.12.22.13.0 to before 2.16.02.0before 2019.12019.14.04.14.25.05.1before 2021-12-133.18.58.68.79.03.73.8before 8.6.2j-398before 2021-12-113.2...

External exposure likelihood

Halo Surface Signal score for CVE-2021-45046

The vulnerable library, Apache Log4j, is a ubiquitous logging component embedded in a vast array of public-facing web applications, APIs, and internet-accessible services. Because it is a foundational component used in products that are designed to process network-originated requests by default, it is highly likely to be present in internet-facing deployment patterns.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability was identified in Apache's Log4j logging utility, specifically impacting certain non-default configurations. This flaw allows for the potential leakage of information and, in some scenarios, remote code execution. The issue arises from how the logging configuration handles specific input data, enabling malicious crafting of input that exploits a lookup pattern.

  • Vulnerable component: Apache Log4j logging utility
  • Core weakness: Incomplete fix leading to vulnerable lookup patterns
  • Main business impact: Information leak and remote code execution

Attack Path

How an attacker could exploit the issue

The identified vulnerability arises from an incomplete security fix in a widely used logging library. When specific non-default configurations are in place, an attacker can manipulate input data. This manipulation, when processed by the logging system, can lead to unintended code execution or the exposure of sensitive information within certain environments.

  • Exposed input data is logged.
  • Attacker crafts malicious input.
  • Attacker gains control or leaks data.

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability in Apache Log4j 2 presents a significant threat. Attackers with specialized knowledge can exploit certain non-default configurations to gain unauthorized access and execute code. This could lead to the compromise of sensitive information and disruption of critical business operations. Organizations should prioritize addressing this vulnerability to mitigate substantial business risk.

  • Likely attacker skill level: Expert
  • Required access or conditions: Network access, non-default configuration
  • Business risk or urgency: High impact, requires immediate attention

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The Apache Log4j library has a vulnerability that can allow attackers to gain unauthorized access to systems. This issue arises from an incomplete fix in previous versions, potentially leading to remote code execution. Organizations using affected versions of Log4j should take immediate steps to identify and mitigate this risk.

  • Find systems using vulnerable Log4j.
  • Reduce exposure or isolate risk.
  • Apply vendor fix and verify.

Frequently asked questions

What is CVE-2021-45046 and how did it arise?

CVE-2021-45046 is a vulnerability in Apache Log4j 2 that occurred because the fix for CVE-2021-44228 was incomplete. In specific non-default configurations, it allowed attackers to exploit the Thread Context Map (MDC) input data using a JNDI Lookup pattern. This could lead to remote code execution in some environments and local code execution in all environments.

What is the weakness class for CVE-2021-45046?

The primary weakness class associated with CVE-2021-45046 is CWE-917, which refers to the improper neutralization of special elements used in an LDAP query ('LDAP Injection'). In this case, it manifests as a JNDI Lookup pattern exploiting the logging configuration.

How can an attacker trigger CVE-2021-45046, and what is the potential scope?

Attackers can trigger this vulnerability by controlling Thread Context Map (MDC) input data. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (like $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC), an attacker can craft malicious input using a JNDI Lookup. This can lead to information disclosure and remote code execution in certain environments, and local code execution universally.

What is the relevance of CVE-2021-45046, considering its widespread use?

The relevance of CVE-2021-45046 is very high due to the widespread use of Apache Log4j. This logging component is embedded in numerous web applications, APIs, and internet-accessible services. Its foundational nature in processing network requests by default makes it highly probable to be present in internet-facing systems, increasing the attack surface.

What practical steps should be taken to address CVE-2021-45046?

To address CVE-2021-45046, it is essential to update to Log4j versions 2.16.0 (for Java 8) or 2.12.2 (for Java 7). These versions resolve the issue by removing support for message lookup patterns and disabling JNDI functionality by default. Applying vendor-provided updates is the recommended course of action.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified