Problem

CVE-2021-44228

The IBM Chief Information Security Office (CISO) has declared an override for recently published Apache Log4j remote code execution vulnerability CVE-2021-44228. The override due date for installing vendor-provided security updates is December 14, 2021. For more information, see An update on the Apache Log4j CVE-2021-44228 vulnerability.

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in the Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default.

CVE-2021-45105

Apache Log4j 2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that terminates the process. This is also known as a Denial-of-Service (DoS) attack.

CVE-2021-44832

Apache Log4j 2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) is vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Apache Log4j version 2.17.1, Apache Log4j version 2.12.4, and Apache Log4j version 2.3.2.