9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
log4j-core is vulnerable to denial of service (DoS). The vulnerability exists because previous mitigation for CVE-2021-44228 is incomplete in certain non-default configurations. An attacker can send a malicious Thread Context Map (MDC) input data in JNDI Lookup pattern using a non-default Pattern Layout in logging configuration with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC), causing denial of service using JNDI Lookup pattern. This is a different vulnerability which cannot be fixed using previously suggested configuration such as to set the system property log4j2.noFormatMsgLookup
to true
.
www.openwall.com/lists/oss-security/2021/12/14/4
www.openwall.com/lists/oss-security/2021/12/15/1
www.openwall.com/lists/oss-security/2021/12/15/3
www.openwall.com/lists/oss-security/2021/12/18/1
cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
github.com/apache/logging-log4j2/commit/27972043b76c9645476f561c5adc483dec6d3f5d
issues.apache.org/jira/browse/LOG4J2-3208
lists.fedoraproject.org/archives/list/[email protected]/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/
lists.fedoraproject.org/archives/list/[email protected]/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/
logging.apache.org/log4j/2.x/changes-report.html#a2.16.0
logging.apache.org/log4j/2.x/security.html
psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
security.netapp.com/advisory/ntap-20211215-0001/
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
www.cve.org/CVERecord?id=CVE-2021-44228
www.debian.org/security/2021/dsa-5022
www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
www.kb.cert.org/vuls/id/930724
www.oracle.com/security-alerts/alert-cve-2021-44228.html
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpujul2022.html
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P