SCA: security update for org.apache.logging.log4j:log4j-core, org.ops4j.pax.logging:pax-logging-log4j2 (GHSA-7rjr-3q55-vv33)

critical Tenable Cloud Security Plugin ID 412247

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-
default configurations. This could allows attackers with control over Thread Context Map (MDC) input data
when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for
example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input
data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some
environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix
this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
(CVE-2021-45046)

See Also

https://github.com/advisories/GHSA-7rjr-3q55-vv33

Plugin Details

Severity: Critical

ID: 412247

Version: Revision 1.14

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 8

Percentile: 99.68

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 4.2

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-45046

CVSS v3

Risk Factor: Critical

Base Score: 9

Temporal Score: 8.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/14/2021

Vulnerability Publication Date: 12/10/2021

CISA Known Exploited Vulnerability Due Dates: 5/22/2023

Reference Information

CVE: CVE-2021-45046