Apache Log4j 2.6.1 Contains Critical Incomplete Fix for CVE-2021-45046

A critical vulnerability, CVE-2021-45046, has been detected in the Apache Log4j library version 2.6.1. This flaw represents an incomplete fix for the previously disclosed CVE-2021-44228 (Log4Shell), meaning systems thought to be patched may still be exposed to remote code execution. The vulnerability resides specifically in the `log4j-core-2.6.1.jar` file, a core component of the widely used Java logging framework.

The security gap is triggered in specific, non-default logging configurations. Attackers who can control Thread Context Map (MDC) input data can exploit the flaw when the configuration uses a non-default Pattern Layout with a Context Lookup (e.g., $${ctx:loginId}) or a Thread Context Map pattern like %X, %mdc, or %MDC. This allows for the crafting of malicious input that can lead to remote code execution, bypassing the initial patch. The vulnerability's presence in a foundational library like Log4j, embedded in countless enterprise applications and services, creates a massive, cascading supply-chain risk.

This discovery signals intense, ongoing pressure on organizations to perform deeper dependency scans and verify their patch levels. The fact that a 'fix' was incomplete underscores the complexity of securing ubiquitous software components and the persistent threat of residual attack surfaces. System administrators and security teams must immediately audit their Log4j implementations, moving beyond version 2.15.0 to the latest secure releases, and scrutinize any non-default logging configurations that could serve as an entry point.