[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228

Arne Vajhøj arne at vajhoej.dk
Fri Dec 17 17:02:03 EST 2021 

On 12/16/2021 7:20 PM, Arne Vajhøj wrote:
> On 12/16/2021 5:47 PM, Craig A. Berry wrote:
>> Note that log4j 2.16.0 has now been released to fix vulnerabilities
>> still present in the 2.15.0 released a few days ago, and many of the
>> mitigations published in the last week are now considered inadequate:
>>
>> <https://logging.apache.org/log4j/2.x/security.html>
> 
> Yes.
> 
> But the new one is not in the same category as the first.
> 
> <quote>
> CVE-2021-45046
> 
> CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context 
> Lookup Pattern vulnerable to a denial of service attack.
> 
> Severity: Moderate
> 
> Base CVSS Score: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
> 
> Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 
> through 2.15.0
> </quote>

They have now updated the severity to:

CVE-2021-45046 	Remote Code Execution
Severity 	Critical
Base CVSS Score 	9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Versions Affected 	All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2

...

Severity is now Critical

The original severity of this CVE was rated as Moderate; since this CVE 
was published security experts found additional exploits against the 
Log4j 2.15.0 release, that could lead to information leaks, RCE (remote 
code execution) and LCE (local code execution) attacks.

Base CVSS Score changed from 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) 
to 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

The title of this CVE was changed from mentioning Denial of Service 
attacks to mentioning Remote Code Execution attacks.

Only Pattern Layouts with a Context Lookup (for example, 
$${ctx:loginId}) are vulnerable to this. This page previously 
incorrectly mentioned that Thread Context Map pattern (%X, %mdc, or 
%MDC) in the layout would also allow this vulnerability.

While Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP 
lookups to localhost by default, there are ways to bypass this and users 
should not rely on this.

> vs
> 
> <quote>
> CVE-2021-44228
> 
> CVE-2021-44228: Apache Log4j2 JNDI features do not protect against 
> attacker controlled LDAP and other JNDI related endpoints.
> 
> Severity: Critical
> 
> Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
> 
> Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 
> through 2.14.1
> </quote>

Arne

More information about the Info-vax mailing list