It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CVSS Details
- CVSS 3.1 Base Score: 9
- CVSS 3.1 Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Covered by Rapid7
| Product | Vendor Advisory | Solution File | Added | Published |
|---|---|---|---|---|
| Amazon Linux Ami 2 | amazon-linux-ami-2-upgrade-aws-kinesis-agentamazon-linux-ami-2-upgrade-java-1-7-0-openjdkamazon-linux-ami-2-upgrade-java-1-7-0-openjdk-accessibilityamazon-linux-ami-2-upgrade-java-1-7-0-openjdk-debuginfoamazon-linux-ami-2-upgrade-java-1-7-0-openjdk-demoamazon-linux-ami-2-upgrade-java-1-7-0-openjdk-develamazon-linux-ami-2-upgrade-java-1-7-0-openjdk-headlessamazon-linux-ami-2-upgrade-java-1-7-0-openjdk-javadocamazon-linux-ami-2-upgrade-java-1-7-0-openjdk-srcamazon-linux-ami-2-upgrade-java-1-8-0-amazon-correttoamazon-linux-ami-2-upgrade-java-1-8-0-amazon-corretto-develamazon-linux-ami-2-upgrade-java-1-8-0-openjdkamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-accessibilityamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-accessibility-debugamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-debugamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-debuginfoamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-demoamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-demo-debugamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-develamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-devel-debugamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-headlessamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-headless-debugamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadocamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-debugamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-zipamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-zip-debugamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-srcamazon-linux-ami-2-upgrade-java-1-8-0-openjdk-src-debugamazon-linux-ami-2-upgrade-java-11-amazon-correttoamazon-linux-ami-2-upgrade-java-11-amazon-corretto-headlessamazon-linux-ami-2-upgrade-java-11-amazon-corretto-javadocamazon-linux-ami-2-upgrade-java-11-openjdkamazon-linux-ami-2-upgrade-java-11-openjdk-debugamazon-linux-ami-2-upgrade-java-11-openjdk-debuginfoamazon-linux-ami-2-upgrade-java-11-openjdk-demoamazon-linux-ami-2-upgrade-java-11-openjdk-demo-debugamazon-linux-ami-2-upgrade-java-11-openjdk-develamazon-linux-ami-2-upgrade-java-11-openjdk-devel-debugamazon-linux-ami-2-upgrade-java-11-openjdk-headlessamazon-linux-ami-2-upgrade-java-11-openjdk-headless-debugamazon-linux-ami-2-upgrade-java-11-openjdk-javadocamazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-debugamazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zipamazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zip-debugamazon-linux-ami-2-upgrade-java-11-openjdk-jmodsamazon-linux-ami-2-upgrade-java-11-openjdk-jmods-debugamazon-linux-ami-2-upgrade-java-11-openjdk-srcamazon-linux-ami-2-upgrade-java-11-openjdk-src-debugamazon-linux-ami-2-upgrade-java-11-openjdk-static-libsamazon-linux-ami-2-upgrade-java-11-openjdk-static-libs-debugamazon-linux-ami-2-upgrade-java-17-amazon-correttoamazon-linux-ami-2-upgrade-java-17-amazon-corretto-develamazon-linux-ami-2-upgrade-java-17-amazon-corretto-headlessamazon-linux-ami-2-upgrade-java-17-amazon-corretto-javadocamazon-linux-ami-2-upgrade-java-17-amazon-corretto-jmods | Jul 4, 2022 | Dec 14, 2021 | |
| Amazon_linux | — | amazon-linux-upgrade--java-1-6-0-openjdkamazon-linux-upgrade--java-1-7-0-openjdkamazon-linux-upgrade-java-1-8-0-openjdk | Dec 18, 2021 | Dec 14, 2021 |
| Apache Log4j Core | — | apache-log4j-core-upgrade-2_16apache-log4j-core-upgrade-2_12_2apache-log4j-core-upgrade-2_3_1 | Dec 14, 2021 | Dec 14, 2021 |
| Debian | debian-upgrade-apache-log4j2 | Dec 17, 2021 | Dec 14, 2021 | |
| Freebsd | freebsd-upgrade-package-opensearchfreebsd-upgrade-package-graylog | Nov 4, 2022 | Dec 27, 2021 | |
| Gentoo Linux | gentoo-linux-upgrade-net-wireless-unifi | Oct 27, 2023 | Dec 14, 2021 | |
| Ibm Was | ibm-was-upgrade-latest | Aug 26, 2022 | Dec 14, 2021 | |
| Red Hat Jboss Eap | red-hat-jboss-eap-upgrade-latest | Sep 19, 2024 | Dec 14, 2021 | |
| Sonicwall Email Security | sonicwall-email-security-upgrade-10013 | Sep 22, 2025 | Dec 11, 2021 | |
| Suse | — | suse-upgrade-disruptorsuse-upgrade-disruptor-javadocsuse-upgrade-jakarta-servletsuse-upgrade-jakarta-servlet-javadocsuse-upgrade-log4jsuse-upgrade-log4j-javadocsuse-upgrade-log4j-jclsuse-upgrade-log4j-slf4j | Dec 16, 2021 | Dec 14, 2021 |
| Ubuntu | ubuntu-upgrade-liblog4j2-java | Dec 16, 2021 | Dec 14, 2021 | |
| Vcenter Log4j | vcenter-log4j-CVE-2021-44228 | Feb 4, 2022 | Jan 7, 2022 | |
| Vmsa 2021 0028 | vmware-workspace-one-access-upgrade-20_10_0_0_17035009vmware-workspace-one-access-upgrade-20_10_0_1_17586971vmware-workspace-one-access-upgrade-21_08_0_0_18530336vmware-workspace-one-access-upgrade-21_08_0_1_19010796 | Jan 4, 2022 | Jan 4, 2022 | |
| Vmware Horizon Agent | vmware-horizon-agent-windows-upgrade-8.4.0.18964730vmware-horizon-agent-windows-upgrade-7.13.1.19067315vmware-horizon-agent-windows-upgrade-7.13.0.19067039vmware-horizon-agent-windows-upgrade-7.10.3.19069158vmware-horizon-agent-linux-upgrade-8.4.0.19050247vmware-horizon-agent-linux-upgrade-7.13.1.19066964vmware-horizon-agent-linux-upgrade-7.10.3.19066964 | Feb 9, 2022 | Dec 14, 2021 | |
| Vmware Horizon Connection Server | vmware-horizon-connection-server-upgrade-8.4.0.19067837vmware-horizon-connection-server-upgrade-7.13.1.19069458vmware-horizon-connection-server-upgrade-7.10.3.19069415 | Feb 1, 2022 | Dec 14, 2021 | |
| Vmware Vrealize | View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗View advisory ↗ | vmware-vrealize-upgrade-8_6_2_19081814 | Jan 4, 2022 | Jan 4, 2022 |
Prioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub