CVSS V2 Severity
ACCESS-COMPLEXITY:HIGH
ACCESS-VECTOR:NETWORK
AUTHENTICATION:NONE
AVAILABILITY-IMPACT:PARTIAL
CONFIDENTIALITY-IMPACT:PARTIAL
INTEGRITY-IMPACT:PARTIAL
SCORE:5.1
VECTORSTRING:AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSS V3 Severity
ATTACK COMPLEXITY:HIGH
ATTACK VECTOR:NETWORK
AVAILABILITY IMPACT:HIGH
BASE SCORE:9
BASE SEVERITY:CRITICAL
CONFIDENTIALITY IMPACT:HIGH
INTEGRITY IMPACT:HIGH
PRIVILEGES REQUIRED:NONE
USER INTERACTION:NONE
EXPLOITABILITY SCORE:2.2
IMPACT SCORE:6
CVE Overview
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CWE:https://cwe.mitre.org/data/definitions/502.html
CVE:CVE-2021-45046
CREATION DATE:Dec. 14, 2021, 7:15 PM
LAST MODIFIED DATE:Dec. 27, 2021, 3:15 AM
Vulnerable VMWare Horizon servers are at risk of being infected with ransomware because of a security flaw known as Log4j, who recently published a blog post on the issue. VMware Horizon server versions 7.x and 8.x are susceptible to two of the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046). Security experts stated that an attack group has been exploiting these flaws to install webshells on compromised servers.
*Beware click the link!