CVEID: CVE-2021-45046
Description: Apache Log4j is vulnerable to a denial of service, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data or a Thread Context Map pattern to exploit this vulnerability to craft malicious input data using a JNDI Lookup pattern and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/215195 for more information
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
=======================================================
https://logging.apache.org/log4j/2.x/security.html
Fixed in Log4j 2.12.2 and Log4j 2.16.0
CVE-2021-45046
CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.
Severity: Moderate
Base CVSS Score: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.
Apply the latest Control Center iFix - links below
[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9GLA","label":"IBM Control Center"},"ARM Category":[{"code":"a8m0z000000cwVyAAI","label":"ENGINE"}],"ARM Case Number":"TS007808656","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1.2;6.1.3"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJC3O","label":"IBM Sterling Control Center Monitor"},"ARM Category":[{"code":"a8m0z000000cwVyAAI","label":"ENGINE"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNG8A","label":"IBM Sterling Control Center Director"},"ARM Category":[{"code":"a8m0z000000cwVyAAI","label":"ENGINE"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]