Miggo Logo

CVE-2021-45046:
Incomplete fix for Apache Log4j vulnerability

9.1

CVSS Score
3.1

Basic Information

EPSS Score
0.99945%
Published
12/14/2021
Updated
6/27/2024
KEV Status
Yes
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.logging.log4j:log4j-coremaven>= 2.13.0, < 2.16.02.16.0
org.apache.logging.log4j:log4j-coremaven< 2.12.22.12.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis is based on the information provided about the vulnerability and the patches. The JndiLookup class and its lookup() function are directly implicated in the handling of JNDI lookups, making them a primary focus for the vulnerability. The patches and descriptions highlight the importance of this class in addressing the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Imp**t T** *ix to ***r*ss [*V*-****-*****](*ttps://nv*.nist.*ov/vuln/**t*il/*V*-****-*****) in *p**** Lo**j *.**.* w*s in*ompl*t* in **rt*in non-****ult *on*i*ur*tions. T*is *oul* *llow *tt**k*rs wit* *ontrol ov*r T*r*** *ont*xt M*p (M**) input **

Reasoning

T** *n*lysis is **s** on t** in*orm*tion provi*** **out t** vuln*r**ility *n* t** p*t***s. T** `Jn*iLookup` *l*ss *n* its `lookup()` *un*tion *r* *ir**tly impli**t** in t** **n*lin* o* JN*I lookups, m*kin* t**m * prim*ry *o*us *or t** vuln*r**ility.