| Details | |
|---|---|
| Alert Id | 40043-2 |
| Alert Type | Active |
| Status | beta |
| Risk | High |
| CWE | 117 |
| WASC | 20 |
| Technologies Targeted |
Language / Java |
| Tags |
OUT_OF_BAND OWASP_2017_A09 OWASP_2021_A06 WSTG-V42-INPV-11 |
Summary
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments.
Solution
Upgrade Log4j2 to version 2.17.1 or newer.References
- https://www.cve.org/CVERecord?id=CVE-2021-45046
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://nvd.nist.gov/vuln/detail/CVE-2021-45046