Critical Security Vulnerability in Apache Log4j (CVE-2021-45046) Affecting WebAPI

We have detected a critical security vulnerability (CVE-2021-45046) in Apache Log4j components used by WebAPI. This vulnerability allows attackers to exploit incomplete fixes for CVE-2021-44228 in certain non-default configurations, potentially leading to Remote Code Execution (RCE) and information disclosure.

Details:
- CVE: CVE-2021-45046
- Severity: Critical
- Affected Components: log4j-core versions:
    - 2.2 (WEBAPI 2.14.0 uses this version)
    - 2.13.3
    - 2.14.0
- Exploit Availability: Confirmed

Description:

The fix for CVE-2021-44228 in Log4j 2.15.0 was incomplete. Attackers can manipulate Thread Context Map (MDC) input data when logging configuration uses non-default Pattern Layout with Context Lookup (e.g., $ {ctx:loginId}) or Thread Context Map patterns (%X, %mdc, %MDC). This can result in malicious JNDI lookups, leading to RCE or sensitive data leaks.

Recommended Fix:
- Upgrade to patched versions:
    - 2.12.2
    - 2.16.0 (or higher)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Critical Security Vulnerability in Apache Log4j (CVE-2021-45046) Affecting WebAPI #2479

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Critical Security Vulnerability in Apache Log4j (CVE-2021-45046) Affecting WebAPI #2479

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions