检测
分析学

CVE-2021-45046

关键值

描述性

发现Apachelog4j2.1.5处理CVE-2021-44228的修复在某些非默认配置中不完全允许攻击者控制线程上下文输入数据,当日志配置使用非默认模式布局时,上下文查取(例如${ctx:loginId})或线程上下文图模式(%X,%mdc或%Mdc)使用JNDI查找模式编译恶意输入数据,导致信息泄漏和远程代码执行,并在所有环境执行局部代码Log4j2.16.0(Java8)和2.12.2(Java7)清除对消息查找模式的支持并默认禁止JNDI功能修复这一问题

发自Tenable博客

CVE-2021-44228,CVE-2021-45046,CVE-2021-4104:常见问题Log4shell
CVE-2021-44228,CVE-2021-45046,CVE-2021-4104:常见问题Log4shell

发布日期: 2021-12-17

常见问题列表Log4shell

引用

https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf

https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf

https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/

https://logging.apache.org/log4j/2.x/security.html

https://security.gentoo.org/glsa/202310-16

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

https://www.cve.org/CVERecord?id=CVE-2021-44228

https://www.debian.org/security/2021/dsa-5022

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html

https://www.kb.cert.org/vuls/id/930724

https://www.oracle.com/security-alerts/alert-cve-2021-44228.html

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

http://www.openwall.com/lists/oss-security/2021/12/14/4

http://www.openwall.com/lists/oss-security/2021/12/15/3

http://www.openwall.com/lists/oss-security/2021/12/18/1

细节

源码 :米卓,NVD

发布 :2021-12-14

风险信息

CVSS v2

基础评分 :5.1

向量 :CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

严重性 :中度

CVSSv3

基础评分 :九九

向量 :CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

严重性 :临界点

Baidu
map