Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CVE-2021-45046: Fix for CVE-2021-44228 (log4j 2.15.0) didn't fix it
See original GitHub issueI guess #1162 was just the first step … https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046.
TL;DR: log4j 2.16 stripped out the problem by removing support for message lookup patterns and disabling JNDI functionality by default.
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Log4j 2.15 Vulnerability Cve-2021-45046 Upgraded To ... - Snyk
This version contains security fixes for two remote code execution vulnerabilities, fixed in 2.15.0 (CVE-2021-44228) and 2.16.0 ...
Read more >Log4j CVE-2021-44228 Log4Shell Vulnerability on ...
It appears that the fix in 2.15.0 and the JVM mitigation was incomplete. Version 2.16.0 was released. CVE-2021-45046 Upgraded to Critical ...
Read more >Apache Log4j “Log4Shell” and Beyond - Flexera Community
This vulnerability affects Apache Log4j versions prior to 2.15.0 and can be referenced via the CVE identifier CVE-2021-44228. Thread Context Map ...
Read more >CVE-2021-44228: Apache Log4j2 Zero-Day Exploited in the ...
An exploit for a critical zero-day vulnerability affecting Apache Log4j2 known as Log4Shell was disclosed on December 9, 2021.
Read more >CVE-2021-44228: Log4Shell vulnerability and Aerospike
Apache Log4j released a new fix in log4j-core 2.16.0, as the 2.15.0 fix didn't close the exploit (See CVE-2021-45046).
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Please note that CVE-2021-45046 is separate and does not have the same implications as CVE-2021-44228.
CVE-2021-45046 does not affect jitsi-videobridge or jigasi , because they don’t use any of the related features in PatternLayout (jvb, jigasi). We’re in the process of updating to 2.16.0 in any case.
Has this update been released?