CVE-2021-45046
Description
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Severity: CRITICAL
CVE ID: CVE-2021-45046
CVSS Score: 9.0
CVSS Metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Proof Of Concept
Nuclei Templates for CVE-2021-45046
Refrence: Project Discovery GitHub
cckuailong
Log4j 2.15.0 Privilege Escalation -- CVE-2021-45046
Refrence: GitHub
BobTheShoplifter
Oh no another one
Refrence: GitHub
tejas-nagchandi
Replicating CVE-2021-45046
Refrence: GitHub
pravin-pp
Refrence: GitHub
mergebase
Public testing data. Samples of log4j library versions to help log4j scanners / detectors improve their accuracy for detecting CVE-2021-45046 and CVE-2021-44228. TAG_TESTING, OWNER_KEN, DC_PUBLIC
Refrence: GitHub
lukepasek
A simple script to remove Log4J JndiLookup.class from jars in a given directory, to temporarily protect from CVE-2021-45046 and CVE-2021-44228.
Refrence: GitHub
ludy-dev
Refrence: GitHub
lijiejie
Log4j 漏洞本地检测脚本。 Scan all java processes on your host to check whether it's affected by log4j2 remote code execution vulnerability (CVE-2021-45046)
Refrence: GitHub
CaptanMoss
Log4Shell(CVE-2021-45046) Sandbox Signature
Refrence: GitHub
Content on GitHub
fox-it | watchers:434
log4j-finder
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)
Refrence: GitHub
alexbakker | watchers:84
log4shell-tools
Tool that runs a test to check whether one of your applications is affected by the recent vulnerabilities in log4j: CVE-2021-44228 and CVE-2021-45046
Refrence: GitHub
HynekPetrak | watchers:36
log4shell-finder
Fastest filesystem scanner for log4shell (CVE-2021-44228, CVE-2021-45046) and other vulnerable (CVE-2017-5645, CVE-2019-17571, CVE-2022-23305, CVE-2022-23307 ... ) instances of log4j library. Excellent performance and low memory footprint.
Refrence: GitHub
mergebase | watchers:630
log4j-detector
A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC
Refrence: GitHub
NCSC-NL | watchers:1895
log4shell
Operational information regarding the log4shell vulnerabilities in the Log4j logging library.
Refrence: GitHub
cisagov | watchers:1275
log4j-scanner
log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
Refrence: GitHub
r3kind1e | watchers:20
Log4Shell-obfuscated-payloads-generator
Generate primary obfuscated or secondary obfuscated CVE-2021-44228 or CVE-2021-45046 payloads to evade WAF detection.
Refrence: GitHub
dtact | watchers:50
divd-2021-00038--log4j-scanner
Scan systems and docker images for potential log4j vulnerabilities. Able to patch (remove JndiLookup.class) from layered archives. Will detect in-depth (layered archives jar/zip/tar/war and scans for vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105). Binaries for Windows, Linux and OsX, but can be build on each platform supported by supported Golang.
Refrence: GitHub
thedevappsecguy | watchers:2
Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832
Log4J CVE-2021-44228 : Mitigation Cheat Sheet
Refrence: GitHub
0xsyr0 | watchers:8
Log4Shell
This repository contains all gathered resources we used during our Incident Reponse on CVE-2021-44228 and CVE-2021-45046 aka Log4Shell.
Refrence: GitHub
DXC-StrikeForce | watchers:8
Burp-Log4j-HammerTime
Burp Active Scan extension to identify Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046
Refrence: GitHub
logpresso | watchers:850
CVE-2021-44228-Scanner
Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
Refrence: GitHub
TheInterception | watchers:4
Log4J-Simulation-Tool
Vulnerability analysis, patch management and exploitation tool forCVE-2021-44228 / CVE-2021-45046 / CVE-2021-4104
Refrence: GitHub
zhzyker | watchers:72
logmap
Log4j jndi injection fuzz tool
Refrence: GitHub
1lann | watchers:44
log4shelldetect
Rapidly scan filesystems for Java programs potentially vulnerable to Log4Shell (CVE-2021-44228) or "that Log4j JNDI exploit" by inspecting the class paths inside files
Refrence: GitHub
Qualys | watchers:154
log4jscanwin
Log4j Vulnerability Scanner for Windows
Refrence: GitHub
xsultan | watchers:14
log4jshield
Log4j Shield - fast ⚡, scalable and easy to use Log4j vulnerability CVE-2021-44228 finder and patcher
Refrence: GitHub
Puliczek | watchers:926
CVE-2021-44228-PoC-log4j-bypass-words
🐱💻 ✂️ 🤬 CVE-2021-44228 - LOG4J Java exploit - WAF bypass tricks
Refrence: GitHub
darkarnium | watchers:34
Log4j-CVE-Detect
Detections for CVE-2021-44228 inside of nested binaries
Refrence: GitHub
trickyearlobe | watchers:1
inspec-log4j
An Inspec profile to check for Log4j CVE-2021-44228 and CVE-2021-45046
Refrence: GitHub
DANSI | watchers:0
PowerShell-Log4J-Scanner
can find, analyse and patch Log4J files because of CVE-2021-44228, CVE-2021-45046
Refrence: GitHub
manishkanyal | watchers:1
log4j-scanner
A Log4j vulnerability scanner is used to identify the CVE-2021-44228 and CVE_2021_45046
Refrence: GitHub