Rapid7 Vulnerability & Exploit Database

IBM WebSphere Application Server: CVE-2021-45046: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)

Back to Search

IBM WebSphere Application Server: CVE-2021-45046: Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2021-4104, CVE-2021-45046)

Severity
5
CVSS
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Published
12/14/2021
Created
08/29/2022
Added
08/26/2022
Modified
08/26/2022

Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Solution(s)

  • ibm-was-install-8-0-0-0-ph42762
  • ibm-was-install-8-5-0-0-ph42762
  • ibm-was-install-8-5-ph42762-liberty
  • ibm-was-install-9-0-0-0-ph42762
  • ibm-was-upgrade-8-5-0-0-8-5-5-21
  • ibm-was-upgrade-8-5-22-0-0-1-liberty
  • ibm-was-upgrade-9-0-0-0-9-0-5-11

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;