Apache Log4j2 Deserialization of Untrusted Data Vulnerability

Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

Published Dec 14, 2021 · Updated May 16, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2023-05-22 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Software Vulnerability (CWE-917) (CWE-917) vulnerability in Apache Log4j2. It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default. Exploitation requires remote network access, higher attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●IT Security

●Running log4j: 2.0.1 ≤ v < 2.12.2, 2.13.0 ≤ v < 2.16.0, 2.0; computer vision annotation tool: -; audio development kit: -; datacenter manager: -; genomics kernel library: -; oneapi: -; secure device onboard: -; sensor solution firmware development kit: -; system debugger: -; system studio: -; captial: v < 2019.1, 2019.1; desigo cc advanced reports: 4.0, 4.1, 4.2, 5.0, 5.1; desigo cc info center: 5.0, 5.1; e-car operation center: v < 2021-12-13; energy engage: 3.1; energyip: 8.5, 8.6, 8.7, 9.0; energyip prepay: 3.7, 3.8; gma-manager: v < 8.6.2j-398; industrial edge management hub: v < 2021-12-13; mindsphere: v < 2021-12-11; navigator: v < 2021-12-13; opcenter intelligence: v ≤ 3.2; operation scheduler: v ≤ 1.1.3; sentron powermanager: 4.1, 4.2; siguard dsa: 4.2, 4.3, 4.4; sipass integrated: 2.80, 2.85; siveillance command: v ≤ 4.16.2.1; siveillance identity: 1.5, 1.6; solid edge harness design: v < 2020, 2020; spectrum power 4: v < 4.70, 4.70; spectrum power 7: v < 2.30, 2.30; vesys: v < 2019.1, 2019.1; xpedition enterprise: -; xpedition package integrator: -; debian linux: 10.0, 11.0; email security: v < 10.0.12; fedora: 34, 35; 6bk1602-0aa12-0tp0 firmware: v < 2.7.0; 6bk1602-0aa22-0tp0 firmware: v < 2.7.0; 6bk1602-0aa32-0tp0 firmware: v < 2.7.0; 6bk1602-0aa42-0tp0 firmware: v < 2.7.0; 6bk1602-0aa52-0tp0 firmware: v < 2.7.0

Real-world incidentsWhat we've seen

CISA confirms this CVE has been used in known ransomware campaigns. Added to the KEV catalog on 2023-05-01; federal agencies required to remediate by 2023-05-22.

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

Vendor advisory: https://logging.apache.org/log4j/2.x/security.html

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2021-45046

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2021-45046 ↗ NVD ↗ Vendor Advisory