CVE-2021-45046

Name of the Vulnerable Software and Affected Versions Apache Log4j2 versions 2.15.0 Apache Log4j2 versions prior to 2.16.0 (Java 8) Apache Log4j2 versions prior to 2.12.2 (Java 7)

Description The issue is related to the deserialization of untrusted data in the Apache Log4j2 library, which can be exploited by attackers to execute arbitrary code remotely or locally. This can occur when the logging configuration uses a non-default Pattern Layout with a Context Lookup or a Thread Context Map pattern, allowing malicious input data to be crafted using a JNDI Lookup pattern. It is estimated that there have been 1.8 million attempts to exploit this issue.

Recommendations For Apache Log4j2 version 2.15.0, update to version 2.16.0 (Java 8) or 2.12.2 (Java 7) to remove support for message lookup patterns and disable JNDI functionality by default. As a temporary workaround, consider disabling the use of Context Lookup and Thread Context Map patterns in the logging configuration until a patch is available. Restrict access to the logging functionality to minimize the risk of exploitation.