Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2021-45046

Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

POC

Reference

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

- https://www.oracle.com/security-alerts/cpuapr2022.html

- https://www.oracle.com/security-alerts/cpujan2022.html

- https://www.oracle.com/security-alerts/cpujul2022.html

Github

- https://github.com/0xsyr0/Log4Shell

- https://github.com/1lann/log4shelldetect

- https://github.com/20142995/nuclei-templates

- https://github.com/2lambda123/og4j-scan

- https://github.com/4ra1n/4ra1n

- https://github.com/A-TPL-Bench/LibHunter

- https://github.com/ADP-Dynatrace/dt-appsec-powerup

- https://github.com/ARPSyndicate/cve-scores

- https://github.com/ARPSyndicate/cvemon

- https://github.com/ARPSyndicate/kenzer-templates

- https://github.com/Afrouper/MavenDependencyCVE-Scanner

- https://github.com/Ananya-0306/Log-4j-scanner

- https://github.com/Anonymous-Phunter/PHunter

- https://github.com/Aschen/log4j-patched

- https://github.com/Awisefew/Lof4j

- https://github.com/BobTheShoplifter/CVE-2021-45046-Info

- https://github.com/Boupouchi/Log4j-Detector-PFA

- https://github.com/BuildScale/log4j.scan

- https://github.com/CERTCC/CVE-2021-44228_scanner

- https://github.com/CGCL-codes/LibHunter

- https://github.com/CGCL-codes/PHunter

- https://github.com/CUBETIQ/cubetiq-security-advisors

- https://github.com/CVEDB/PoC-List

- https://github.com/CVEDB/awesome-cve-repo

- https://github.com/CVEDB/top

- https://github.com/CaptanMoss/Log4Shell-Sandbox-Signature

- https://github.com/Chrisync/CVE-Scanner

- https://github.com/Contrast-Security-OSS/safelog4j

- https://github.com/Coolaid003/Security-Research

- https://github.com/CptOfEvilMinions/ChooseYourSIEMAdventure

- https://github.com/Cyb3rWard0g/log4jshell-lab

- https://github.com/Cybereason/Logout4Shell

- https://github.com/DANSI/PowerShell-Log4J-Scanner

- https://github.com/DXC-StrikeForce/Burp-Log4j-HammerTime

- https://github.com/DanielFEXKEX/CVE-Scanner

- https://github.com/DevGHI/jmeter-docker

- https://github.com/Devihtisham01/-HIPAA-and-GDPR-compliance-engine-for-a-healthcare-SaaS-product

- https://github.com/Diablo5G/Certification-Prep

- https://github.com/Dikens88/hopp

- https://github.com/Diverto/nse-log4shell

- https://github.com/EMSeek/log4poc

- https://github.com/GameProfOrg/Jpg-Png-Exploit-Downloader-Fud-Cryter-Malware-Builder-Cve-2022

- https://github.com/GameProfOrg/Slient-Doc-Pdf-Exploit-Builder-Fud-Malware-Cve

- https://github.com/GhostTroops/TOP

- https://github.com/GluuFederation/Log4J

- https://github.com/HackJava/HackLog4j2

- https://github.com/HackJava/Log4j2

- https://github.com/HemantKMehta/Log4J

- https://github.com/HynekPetrak/log4shell-finder

- https://github.com/ITninja04/awesome-stars

- https://github.com/Icare741/TPTrivy

- https://github.com/JERRY123S/all-poc

- https://github.com/JustinMills2024/Shields-Up-Cybersecurity-Job-Simulation

- https://github.com/Kmute11/Web_Security_Monitoring

- https://github.com/LibHunter/LibHunter

- https://github.com/LoliKingdom/NukeJndiLookupFromLog4j

- https://github.com/MLX15/log4j-scan

- https://github.com/Maelstromage/Log4jSherlock

- https://github.com/MaineK00n/vuls2

- https://github.com/MathisLeDev/-Guide-Trivy-Scanner-de-S-curit-

- https://github.com/Mattrobby/Log4J-Demo

- https://github.com/NCSC-NL/log4shell

- https://github.com/NUMde/compass-num-conformance-checker

- https://github.com/NaInSec/CVE-PoC-in-GitHub

- https://github.com/NelsonKling/opencensus-java

- https://github.com/NiftyBank/java-app

- https://github.com/NorthShad0w/FINAL

- https://github.com/OSCKOREA-WORKSHOP/NEXUS-Firewall

- https://github.com/OWASP/www-project-ide-vulscanner

- https://github.com/Ostorlab/KEV

- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors

- https://github.com/POC-2025/nuclei

- https://github.com/PandyBoyo/scanner

- https://github.com/Pluralsight-SORCERI/log4j-resources

- https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words

- https://github.com/PushpenderIndia/Log4jScanner

- https://github.com/Qerim-iseni09/ByeLog4Shell

- https://github.com/Qualys/log4jscanwin

- https://github.com/Ratlesv/Log4j-SCAN

- https://github.com/Rk-000/Log4j_scan_Advance

- https://github.com/Rohan-flutterint/CVE-2021-44228_scanner

- https://github.com/Rohan-flutterint/hotpatch-for-apache-log4j2

- https://github.com/Ryan2065/Log4ShellDetection

- https://github.com/SYRTI/POC_to_review

- https://github.com/SaintYago92/Log4j-scan

- https://github.com/Sandynaidu/log4j2_logger

- https://github.com/Secxt/FINAL

- https://github.com/ShadowPayload06/Internship-security-scan-

- https://github.com/SindhuDemo/PerfTestDemo

- https://github.com/SneakyBeagle/SneakyBeagle_container

- https://github.com/Staubgeborener/stars

- https://github.com/Stiloco/LOG4

- https://github.com/SushmaPerfTest/docker-PerformanceTest

- https://github.com/TehanG07/log4j-scan

- https://github.com/TheInterception/Log4J-Simulation-Tool

- https://github.com/TheZubairUsman/vulnerability-scan-parser

- https://github.com/Thienan12703/Upto-cloud

- https://github.com/Tim1995/FINAL

- https://github.com/VMsec/log4jScan_Modify

- https://github.com/VerveIndustrialProtection/CVE-2021-44228-Log4j

- https://github.com/Vr00mm/log4j-article

- https://github.com/Whoaa512/starred

- https://github.com/WhooAmii/POC_to_review

- https://github.com/X1pe0/Log4J-Scan-Win

- https://github.com/Y0-kan/Log4jShell-Scan

- https://github.com/YoungBear/log4j2demo

- https://github.com/a-ramses/security-research

- https://github.com/aboutyouprv1337/Nuclei

- https://github.com/abozzoni/cve-app

- https://github.com/adelarsq/awesome-bugs

- https://github.com/ajread4/cve_pull

- https://github.com/alexbakker/log4shell-tools

- https://github.com/allegroai/clearml-server

- https://github.com/alphatron-employee/product-overview

- https://github.com/alukashenkov/Vulners-MCP

- https://github.com/andalik/log4j-filescan

- https://github.com/apache/solr-docker

- https://github.com/avwolferen/Sitecore.Solr-log4j-mitigation

- https://github.com/aws-samples/kubernetes-log4j-cve-2021-44228-node-agent

- https://github.com/aymankhder/og4j-scanner

- https://github.com/back2root/log4shell-rex

- https://github.com/bananaacaat/Log4j-Detector

- https://github.com/bashofmann/hacking-kubernetes

- https://github.com/benmurphyy/log4shell

- https://github.com/binana354/nuclei

- https://github.com/binkley/modern-java-practices

- https://github.com/bmw-inc/log4shell

- https://github.com/brechtsanders/find_log4j

- https://github.com/byt3n33dl3/thc-Nuclei

- https://github.com/cckuailong/Log4j_CVE-2021-45046

- https://github.com/census-instrumentation/opencensus-java

- https://github.com/chenghungpan/test_data

- https://github.com/christian-taillon/log4shell-hunting

- https://github.com/cisagov/log4j-scanner

- https://github.com/clearml/clearml-server

- https://github.com/codebling/wso2-docker-patches

- https://github.com/codie3/docker-jmeter

- https://github.com/corretto/hotpatch-for-apache-log4j2

- https://github.com/cowbe0x004/cowbe0x004

- https://github.com/cyb3rpeace/log4j-scan

- https://github.com/cyberanand1337x/bug-bounty-2022

- https://github.com/danyk20/pentest

- https://github.com/darkarnium/Log4j-CVE-Detect

- https://github.com/dashmeet2023/Automated-Vulnerability-Checker

- https://github.com/davejwilson/azure-spark-pools-log4j

- https://github.com/dbzoo/log4j_scanner

- https://github.com/demining/Log4j-Vulnerability

- https://github.com/demonrvm/Log4ShellRemediation

- https://github.com/dev-thefirewall/nuclei-test

- https://github.com/dhanugupta/log4j-vuln-demo

- https://github.com/dileepdkumar/https-github.com-NCSC-NL-log4shell

- https://github.com/dileepdkumar/https-github.com-cisagov-log4j-affected-dbv2

- https://github.com/dileepdkumar/https-github.com-mergebase-log4j-samples

- https://github.com/dinlaks/RunTime-Vulnerability-Prevention---RHACS-Demo

- https://github.com/dkd/elasticsearch

- https://github.com/docker-solr/docker-solr

- https://github.com/doris0213/assignments

- https://github.com/dtact/divd-2021-00038--log4j-scanner

- https://github.com/dybson3/Forage-Internship-AIG

- https://github.com/ecomtech-oss/pisc

- https://github.com/edsonjt81/log4-scanner

- https://github.com/edsonjt81/log4j-scan

- https://github.com/edsonjt81/nse-log4shell

- https://github.com/elicha023948/44228

- https://github.com/eliezio/log4j-test

- https://github.com/eventsentry/scripts

- https://github.com/fabioeletto/hka-seminar-log4shell

- https://github.com/flux10n/log4j

- https://github.com/forcedotcom/Analytics-Cloud-Dataset-Utils

- https://github.com/forcedotcom/CRMA-dataset-creator

- https://github.com/fox-it/log4j-finder

- https://github.com/frontal1660/DSLF

- https://github.com/frrusi/docker-image-audit

- https://github.com/frrusi/docker-image-sync

- https://github.com/fullhunt/log4j-scan

- https://github.com/gglessner/KafkaClient

- https://github.com/gitlab-de/log4j-resources

- https://github.com/gjrocks/TestLog4j

- https://github.com/google/security-research

- https://github.com/govgitty/log4shell-

- https://github.com/grvuolo/wsa-spgi-lab

- https://github.com/gumimin/dependency-check-sample

- https://github.com/hari-mutyala/HK-JmeterDocker

- https://github.com/hari-mutyala/jmeter-api-perf

- https://github.com/hari-mutyala/jmeter-ui-perf

- https://github.com/hbeooooooom/Log4shell_poc

- https://github.com/helsecert/CVE-2021-44228

- https://github.com/hillu/local-log4j-vuln-scanner

- https://github.com/hktalent/TOP

- https://github.com/hozyx/log4shell

- https://github.com/hupe1980/scan4log4shell

- https://github.com/husnain-ce/Log4j-Scan

- https://github.com/hypertrace/hypertrace

- https://github.com/ifconfig-me/Log4Shell-Payloads

- https://github.com/imTigger/webapp-hardware-bridge

- https://github.com/immunityinc/Log4j-JNDIServer

- https://github.com/infiniroot/nginx-mitigate-log4shell

- https://github.com/inj3ction/log4j-scan

- https://github.com/insignit/cve-informatie

- https://github.com/integralads/dependency-deep-scan-utilities

- https://github.com/jacobalberty/unifi-docker

- https://github.com/jbeagles8755a0/security-research

- https://github.com/jbmihoub/all-poc

- https://github.com/jfrog/jfrog-cli-plugins-reg

- https://github.com/jfrog/log4j-tools

- https://github.com/jnyilas/log4j-finder

- https://github.com/juancarlosme/java1

- https://github.com/justb4/docker-jmeter

- https://github.com/k3rwin/log4j2-intranet-scan

- https://github.com/kdecho/Log4J-Scanner

- https://github.com/kdpuvvadi/Omada-Ansible

- https://github.com/kdpuvvadi/omada-ansible

- https://github.com/khulnasoft-lab/awesome-security

- https://github.com/khulnasoft-labs/awesome-security

- https://github.com/kpostreich/WAS-Automation-CVE

- https://github.com/krah034/oss-vulnerability-check-demo

- https://github.com/layou233/Tritium-backup

- https://github.com/leoCottret/l4shunter

- https://github.com/lgtux/find_log4j

- https://github.com/lhotari/Log4Shell-mitigation-Dockerfile-overlay

- https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228

- https://github.com/lijiejie/log4j2_vul_local_scanner

- https://github.com/log4jcodes/log4j.scan

- https://github.com/logpresso/CVE-2021-44228-Scanner

- https://github.com/ludy-dev/cve-2021-45046

- https://github.com/lukepasek/log4jjndilookupremove

- https://github.com/lwollan/log4j-exploit-server

- https://github.com/mad1c/log4jchecker

- https://github.com/manishkanyal/log4j-scanner

- https://github.com/martinlau/dependency-check-issue

- https://github.com/mergebase/csv-compare

- https://github.com/mergebase/log4j-detector

- https://github.com/mergebase/log4j-samples

- https://github.com/mitiga/log4shell-everything

- https://github.com/mitigatesh/nuclei

- https://github.com/mkbyme/docker-jmeter

- https://github.com/nagten/JndiLookupRemoval

- https://github.com/newrelic-experimental/nr-find-log4j

- https://github.com/niphon-sn/Vulnerability-Scanning-Tools

- https://github.com/nlmaca/Wowza_Installers

- https://github.com/nomi-sec/PoC-in-GitHub

- https://github.com/nullx3d/PaypScan

- https://github.com/okiemute-esiri/Web_Security_Monitoring

- https://github.com/okostine-panw/pc_scripts

- https://github.com/open-source-agenda/new-open-source-projects

- https://github.com/optionalg/ByeLog4Shell

- https://github.com/ossie-git/log4shell_sentinel

- https://github.com/ouarriorxx/log4j_test

- https://github.com/ozGod-sh/Declencheur-CVE

- https://github.com/ozGod-sh/Detecteur-Log4Shell

- https://github.com/palantir/log4j-sniffer

- https://github.com/papicella/cli-snyk-getting-started

- https://github.com/papicella/conftest-snyk-demos

- https://github.com/paras98/Log4Shell

- https://github.com/pentesterland/Log4Shell

- https://github.com/perfqapm/docker-jmeter

- https://github.com/phax/ph-oton

- https://github.com/phax/phase4

- https://github.com/phax/phoss-directory

- https://github.com/phiroict/pub_log4j2_fix

- https://github.com/plzheheplztrying/cve_monitor

- https://github.com/pmontesd/Log4PowerShell

- https://github.com/pratik-dey/DockerPOCPerf

- https://github.com/pravin-pp/log4j2-CVE-2021-45046

- https://github.com/projectdiscovery/nuclei

- https://github.com/r00thunter/Log4Shell

- https://github.com/r3kind1e/Log4Shell-obfuscated-payloads-generator

- https://github.com/radiusmethod/awesome-gists

- https://github.com/ralvares/ssvc.me

- https://github.com/retired54/Retired

- https://github.com/retr0-13/log4j-bypass-words

- https://github.com/retr0-13/log4j-scan

- https://github.com/retr0-13/log4shell

- https://github.com/retr0-13/nse-log4shell

- https://github.com/rgl/log4j-log4shell-playground

- https://github.com/righettod/log4shell-analysis

- https://github.com/rohan-flutterint/CVE-2021-44228_scanner

- https://github.com/rohan-flutterint/hotpatch-for-apache-log4j2

- https://github.com/rohankumardubey/CVE-2021-44228_scanner

- https://github.com/rohankumardubey/hotpatch-for-apache-log4j2

- https://github.com/rtkwlf/wolf-tools

- https://github.com/runZeroInc/nuclei

- https://github.com/samokat-oss/pisc

- https://github.com/scagogogo/cve

- https://github.com/scordero1234/java_sec_demo-main

- https://github.com/sdogancesur/log4j_github_repository

- https://github.com/seculayer/Log4j-Vulnerability

- https://github.com/shaily29-eng/CyberSecurity_CVE-2021-45046

- https://github.com/shannonmullins/hopp

- https://github.com/snakesec/nuclei

- https://github.com/sonicgdm/loadtests-jmeter

- https://github.com/soosmile/POC

- https://github.com/sourcegraph/log4j-cve-code-search-resources

- https://github.com/srhercules/log4j_mass_scanner

- https://github.com/sschakraborty/SecurityPOC

- https://github.com/stuartwdouglasmidstream/github--census-instrumentation--opencensus-java

- https://github.com/suky57/logj4-cvi-fix-unix

- https://github.com/sumitgiri87/Ransomware-AIG

- https://github.com/taielab/awesome-hacking-lists

- https://github.com/taise-hub/log4j-poc

- https://github.com/tarja1/log4shell_fix

- https://github.com/tasooshi/horrors-log4shell

- https://github.com/tcoliver/IBM-SPSS-log4j-fixes

- https://github.com/tejas-nagchandi/CVE-2021-45046

- https://github.com/test-org-appsec/nuclei

- https://github.com/testuser4040-coder/nuclei

- https://github.com/thecloudtechin/jmeter-jenkins

- https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832

- https://github.com/thl-cmk/CVE-log4j-check_mk-plugin

- https://github.com/thongtran89/docker_jmeter

- https://github.com/tmax-cloud/install-EFK

- https://github.com/trhacknon/CVE-2021-44228-Scanner

- https://github.com/trhacknon/Pocingit

- https://github.com/trhacknon/log4shell-finder

- https://github.com/trickyearlobe/inspec-log4j

- https://github.com/trickyearlobe/patch_log4j

- https://github.com/triw0lf/Security-Matters-22

- https://github.com/viktorbezdek/awesome-github-projects

- https://github.com/vinyasmd/log4j-vulnerability-scanner

- https://github.com/voditelnloo/jmeterjustb4

- https://github.com/w4kery/Respond-ZeroDay

- https://github.com/wanniDev/OEmbeded

- https://github.com/warriordog/little-log-scan

- https://github.com/weeka10/-hktalent-TOP

- https://github.com/wh1tenoise/log4j-scanner

- https://github.com/whalehub/awesome-stars

- https://github.com/whitesource-ps/ws-bulk-report-generator

- https://github.com/whitesource/log4j-detect-distribution

- https://github.com/whitfieldsdad/cisa_kev

- https://github.com/wortell/log4j

- https://github.com/xsultan/log4jshield

- https://github.com/yahoo/check-log4j

- https://github.com/yannart/log4shell-scanner-rs

- https://github.com/yonocruzhj/AIG---Tasks

- https://github.com/yycunhua/4ra1n

- https://github.com/zaneef/CVE-2021-44228

- https://github.com/zecool/cve

- https://github.com/zeroonesa/ctf_log4jshell

- https://github.com/zhzyker/logmap

- https://github.com/zisigui123123s/FINAL