CVE-2021-45046 | Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

Exp

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Published: 2021-12-14 Last update: 2025-10-27 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2021-45046 is rated Critical Active Threat (100/100): CVSS Critical severity, with high exploitation likelihood (EPSS 99.98%, 100th percentile). CISA KEV confirms active exploitation (added 2023-05-01) affecting Apache / Log4j2. a weakness (CWE-917) Unauthenticated remote administrative access may be possible. EPSS rose +5.64% over the last day, indicating growing attacker interest. The CISA remediation deadline has passed—treat as an emergency patch priority.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

CISA KEV Record for CVE-2021-45046

Name: Apache Log4j2 Deserialization of Untrusted Data Vulnerability · CISA KEV detail

Exploit added: 2023-05-01

Action due: 2023-05-22

Required action: Apply updates per vendor instructions.

Exploit prediction scoring system (EPSS) score for CVE-2021-45046

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 94.34% 99.98% +5.64%
2 2026-04-22 94.43% 94.34% -0.09%
3 2026-04-21 94.43%

Full EPSS history (42 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-45046

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.0 3.1 CRITICAL
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.2 6.0 [email protected]
9.0 3.1 CRITICAL
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.2 6.0 134c704f-9b21-4f2e-91b3-4a467353bcc0
5.1 2.0 MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:H)
Exploitation requires uncommon or highly specific conditions.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 4.9 6.4 [email protected]

Weakness enumeration for CVE-2021-45046

GitHub Security Advisory for CVE-2021-45046

GHSA-7rjr-3q55-vv33 · Severity: critical · Ecosystem: maven — Incomplete fix for Apache Log4j vulnerability

OS Trackers for CVE-2021-45046

vendor priority summary link
debian not yet assigned CVE-2021-45046 not yet assigned priority: Debian including 1 source packages (apache-log4j2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2021-45046
gentoo high CVE-2021-45046: 1 GLSA(s) (202310-16), 1 atom(s) (net-wireless/unifi); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-45046
redhat medium https://access.redhat.com/security/cve/CVE-2021-45046
suse high CVE-2021-45046 severity important: SUSE including 41 source package names (10.1.33-openjdk11-59.4:jakarta-servlet-5.0.0-5.3.1, 10.1.33-openjdk17-59.4:jakarta-servlet-5.0.0-5.3.1, …), 195 product×package rows across 75 product lines (Container containers/apache-tomcat, Container suse/manager/5.0/x86_64/server, … (75 product lines)): Fixed 100, Known Not Affected 95. https://www.suse.com/security/cve/CVE-2021-45046/
ubuntu high CVE-2021-45046 high priority: Ubuntu including 1 source packages (apache-log4j2), 8 status rows across 8 suites (bionic, focal, hirsute, impish, jammy, trusty, upstream, xenial): not-affected 3, released 3, DNE 1, needed 1. https://ubuntu.com/security/CVE-2021-45046

Affected software / configurations for CVE-2021-45046

Vendor Product Version Raw CPE
apache log4j >= 2.0.1, < 2.12.2 cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
apache log4j >= 2.13.0, < 2.16.0 cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
apache log4j 2.0 cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
apache log4j 2.0 cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
apache log4j 2.0 cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
apache log4j 2.0 cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
cvat computer_vision_annotation_tool cpe:2.3:a:cvat:computer_vision_annotation_tool:-:*:*:*:*:*:*:*
intel audio_development_kit cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*
intel datacenter_manager cpe:2.3:a:intel:datacenter_manager:-:*:*:*:*:*:*:*
intel genomics_kernel_library cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*
intel oneapi cpe:2.3:a:intel:oneapi:-:*:*:*:*:eclipse:*:*
intel secure_device_onboard cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*
intel sensor_solution_firmware_development_kit cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*
intel system_debugger cpe:2.3:a:intel:system_debugger:-:*:*:*:*:*:*:*
intel system_studio cpe:2.3:a:intel:system_studio:-:*:*:*:*:*:*:*
siemens sppa-t3000_ses3000_firmware cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*
siemens captial < 2019.1 cpe:2.3:a:siemens:captial:*:*:*:*:*:*:*:*
siemens captial 2019.1 cpe:2.3:a:siemens:captial:2019.1:-:*:*:*:*:*:*
siemens captial 2019.1 cpe:2.3:a:siemens:captial:2019.1:sp1912:*:*:*:*:*:*
siemens comos cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*
siemens desigo_cc_advanced_reports 4.0 cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*
siemens desigo_cc_advanced_reports 4.1 cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*
siemens desigo_cc_advanced_reports 4.2 cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:*:*:*:*:*:*:*
siemens desigo_cc_advanced_reports 5.0 cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:*:*:*:*:*:*:*
siemens desigo_cc_advanced_reports 5.1 cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:*:*:*:*:*:*:*
siemens desigo_cc_info_center 5.0 cpe:2.3:a:siemens:desigo_cc_info_center:5.0:*:*:*:*:*:*:*
siemens desigo_cc_info_center 5.1 cpe:2.3:a:siemens:desigo_cc_info_center:5.1:*:*:*:*:*:*:*
siemens e-car_operation_center < 2021-12-13 cpe:2.3:a:siemens:e-car_operation_center:*:*:*:*:*:*:*:*
siemens energy_engage 3.1 cpe:2.3:a:siemens:energy_engage:3.1:*:*:*:*:*:*:*
siemens energyip 8.5 cpe:2.3:a:siemens:energyip:8.5:*:*:*:*:*:*:*
siemens energyip 8.6 cpe:2.3:a:siemens:energyip:8.6:*:*:*:*:*:*:*
siemens energyip 8.7 cpe:2.3:a:siemens:energyip:8.7:*:*:*:*:*:*:*
siemens energyip 9.0 cpe:2.3:a:siemens:energyip:9.0:*:*:*:*:*:*:*
siemens energyip_prepay 3.7 cpe:2.3:a:siemens:energyip_prepay:3.7:*:*:*:*:*:*:*
siemens energyip_prepay 3.8 cpe:2.3:a:siemens:energyip_prepay:3.8:*:*:*:*:*:*:*
siemens gma-manager < 8.6.2j-398 cpe:2.3:a:siemens:gma-manager:*:*:*:*:*:*:*:*
siemens head-end_system_universal_device_integration_system cpe:2.3:a:siemens:head-end_system_universal_device_integration_system:*:*:*:*:*:*:*:*
siemens industrial_edge_management cpe:2.3:a:siemens:industrial_edge_management:*:*:*:*:*:*:*:*
siemens industrial_edge_management_hub < 2021-12-13 cpe:2.3:a:siemens:industrial_edge_management_hub:*:*:*:*:*:*:*:*
siemens logo\!_soft_comfort cpe:2.3:a:siemens:logo\!_soft_comfort:*:*:*:*:*:*:*:*
siemens mendix cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*
siemens mindsphere < 2021-12-11 cpe:2.3:a:siemens:mindsphere:*:*:*:*:*:*:*:*
siemens navigator < 2021-12-13 cpe:2.3:a:siemens:navigator:*:*:*:*:*:*:*:*
siemens nx cpe:2.3:a:siemens:nx:*:*:*:*:*:*:*:*
siemens opcenter_intelligence <= 3.2 cpe:2.3:a:siemens:opcenter_intelligence:*:*:*:*:*:*:*:*
siemens operation_scheduler <= 1.1.3 cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:*
siemens sentron_powermanager 4.1 cpe:2.3:a:siemens:sentron_powermanager:4.1:*:*:*:*:*:*:*
siemens sentron_powermanager 4.2 cpe:2.3:a:siemens:sentron_powermanager:4.2:*:*:*:*:*:*:*
siemens siguard_dsa 4.2 cpe:2.3:a:siemens:siguard_dsa:4.2:*:*:*:*:*:*:*
siemens siguard_dsa 4.3 cpe:2.3:a:siemens:siguard_dsa:4.3:*:*:*:*:*:*:*
siemens siguard_dsa 4.4 cpe:2.3:a:siemens:siguard_dsa:4.4:*:*:*:*:*:*:*
siemens sipass_integrated 2.80 cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*
siemens sipass_integrated 2.85 cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*
siemens siveillance_command <= 4.16.2.1 cpe:2.3:a:siemens:siveillance_command:*:*:*:*:*:*:*:*
siemens siveillance_control_pro cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*
siemens siveillance_identity 1.5 cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*
siemens siveillance_identity 1.6 cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*
siemens siveillance_vantage cpe:2.3:a:siemens:siveillance_vantage:*:*:*:*:*:*:*:*
siemens siveillance_viewpoint cpe:2.3:a:siemens:siveillance_viewpoint:*:*:*:*:*:*:*:*
siemens solid_edge_cam_pro cpe:2.3:a:siemens:solid_edge_cam_pro:*:*:*:*:*:*:*:*
siemens solid_edge_harness_design < 2020 cpe:2.3:a:siemens:solid_edge_harness_design:*:*:*:*:*:*:*:*
siemens solid_edge_harness_design 2020 cpe:2.3:a:siemens:solid_edge_harness_design:2020:*:*:*:*:*:*:*
siemens solid_edge_harness_design 2020 cpe:2.3:a:siemens:solid_edge_harness_design:2020:-:*:*:*:*:*:*
siemens solid_edge_harness_design 2020 cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002:*:*:*:*:*:*
siemens spectrum_power_4 < 4.70 cpe:2.3:a:siemens:spectrum_power_4:*:*:*:*:*:*:*:*
siemens spectrum_power_4 4.70 cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*
siemens spectrum_power_4 4.70 cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*
siemens spectrum_power_4 4.70 cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8:*:*:*:*:*:*
siemens spectrum_power_7 < 2.30 cpe:2.3:a:siemens:spectrum_power_7:*:*:*:*:*:*:*:*
siemens spectrum_power_7 2.30 cpe:2.3:a:siemens:spectrum_power_7:2.30:*:*:*:*:*:*:*
siemens spectrum_power_7 2.30 cpe:2.3:a:siemens:spectrum_power_7:2.30:-:*:*:*:*:*:*
siemens spectrum_power_7 2.30 cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2:*:*:*:*:*:*
siemens teamcenter cpe:2.3:a:siemens:teamcenter:*:*:*:*:*:*:*:*
siemens tracealertserverplus cpe:2.3:a:siemens:tracealertserverplus:*:*:*:*:*:*:*:*
siemens vesys < 2019.1 cpe:2.3:a:siemens:vesys:*:*:*:*:*:*:*:*
siemens vesys 2019.1 cpe:2.3:a:siemens:vesys:2019.1:*:*:*:*:*:*:*
siemens vesys 2019.1 cpe:2.3:a:siemens:vesys:2019.1:-:*:*:*:*:*:*
siemens vesys 2019.1 cpe:2.3:a:siemens:vesys:2019.1:sp1912:*:*:*:*:*:*
siemens xpedition_enterprise cpe:2.3:a:siemens:xpedition_enterprise:-:*:*:*:*:*:*:*
siemens xpedition_package_integrator cpe:2.3:a:siemens:xpedition_package_integrator:-:*:*:*:*:*:*:*

References for CVE-2021-45046

URL Tags
http://www.openwall.com/lists/oss-security/2021/12/14/4 Mailing List Mitigation Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/15/3 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/18/1 Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/ Mailing List Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/ Mailing List Release Notes
https://logging.apache.org/log4j/2.x/security.html Mitigation Release Notes Vendor Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 Third Party Advisory
https://security.gentoo.org/glsa/202310-16 Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2021-44228 Not Applicable
https://www.debian.org/security/2021/dsa-5022 Third Party Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html Third Party Advisory
https://www.kb.cert.org/vuls/id/930724 Third Party Advisory US Government Resource
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046 US Government Resource
cvelogic Threat Intelligence