CVE-2021-45046
Published: 14 December 2021
Summary
CVE-2021-45046 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Apache Log4J. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an incomplete remediation of CVE-2021-44228 in Apache Log4j 2.15.0 that leaves certain non-default configurations exposed. Specifically, when the logging configuration uses a non-default Pattern Layout containing a Context Lookup (such as $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC), an attacker who can supply data to the Thread Context Map (MDC) can embed a JNDI Lookup expression. This affects Log4j versions prior to the subsequent fixes on both Java 8 and Java 7 runtimes.
An attacker with control over MDC input data can therefore supply a crafted string that triggers JNDI resolution. Successful exploitation yields an information leak and remote code execution in some environments, or local code execution in all environments. The attack does not require authentication or user interaction and carries a CVSS 3.1 score of 9.0 under the vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H.
Vendor guidance and subsequent patches state that the issue is resolved in Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) by removing support for message lookup patterns entirely and disabling JNDI functionality by default. Public advisories from the oss-security list and Siemens product-cert bulletins reiterate these version upgrades as the primary mitigation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-34769
Vulnerability details
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern…
more
Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
- CWE(s)
- KEV Date Added
- 01 May 2023
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patches (Log4j 2.16.0 / 2.12.2) that remove message lookup support and disable JNDI by default, eliminating the incomplete CVE-2021-44228 remediation.
Mandates disabling or removing non-essential features such as JNDI lookups and Context/Map pattern interpolation in Log4j, exactly matching the configuration changes that close this attack vector.
Requires enforcing secure baseline settings for logging Pattern Layouts so that non-default Context Lookup or %X/%mdc patterns are never active, preventing attacker-controlled MDC data from triggering JNDI resolution.