Dec 15, 2021 2 min read

Log4Shell (CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105)

Log4Shell (CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105)
⚠️
Details of this blog have been updated as of 14:00 on 18 December 2021 and are currently correct and up to date at the time of this update.

In December 2021 a vulnerability termed Log4Shell was public disclosed. Initially there was only CVE-2021-44228 associated with it, but it later transpired that the fix for this CVE did not fix all issues and thus CVE-45046 is also associated with it. Recently CVE-2021-45105 was identified and has now been fixed in version 2.17.0.

Affected Versions

This only affects log4j-core, if you are using log4j-api without log4j-core, you are not vulnerable. However if you are using both you will need to ensure both versions are the same otherwise you will get errors.

  • log4j-core <= 2.14.1: CVE-2021-44228 (High Risk)
    • CVSS 10: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Remote Code Execution (RCE)
  • log4j-core = 2.15.0: CVE-2021-45046 (Low Risk)
    * CVSS 3.7: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
    • 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
    • Remove Code Excution (RCE) but only with customised logging configuration
  • log4j-core <= 2.16.0 (excluding 2.12.13): CVE-2021-45105 (Low Risk)
    • 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    • Denial of Service (DOS) but only with customised logging configuration
  • log4j = 1.x: CVE-2021-44228 (only if JMSAppender configured)

Remediation

  • log4j-core <= 2.14.1: Update to version 2.17.0
  • log4j-core = 2.15.0: Update to version 2.16.0 if and when you can, this only represents a minor severity in terms of a denial of service risk in specific situations Update to version 2.17.0
  • log6j-core = 2.16.0: Update to version 2.17.0
  • Where updating is not possible, remove the class JndiLookup from the library: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Previous advice was given to set the property formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS, this is not longer deemed appropriate. The same goes for the configuration %m{nolookups}, %msg{nolookups} or %message{nolookups}.

You can get the full details from the official Apache security advisory.

Sean Wright
Sean Wright
Experienced application security engineer with an origin as a software developer. Primarily focused on web-based application security with a special interest in TLS and supply chain related subjects.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Sean Wright.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.