Apache Log4j Critical Flaw CVE-2021-45046: Incomplete Patch in log4j-core-2.6.1.jar Exposes Systems

A critical vulnerability, CVE-2021-45046, has been detected in the Apache Log4j library, specifically in version log4j-core-2.6.1.jar. This flaw represents an incomplete fix for the previously disclosed CVE-2021-44228 (Log4Shell), leaving systems vulnerable under specific configurations. The vulnerability is not theoretical; it is actively flagged in dependency scans, indicating its presence in live codebases and posing an immediate, high-severity risk to any application using the affected library.

The core of the issue lies in non-default logging configurations. When a system uses a Pattern Layout that includes a Context Lookup (like $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC), attackers with control over Thread Context Map (MDC) input data can exploit this. They can craft malicious input using a JNDI Lookup pattern, which could lead to information leakage and remote code execution. This means the attack surface, while conditional, remains dangerously broad for many enterprise applications that utilize these advanced logging features for diagnostics or user tracking.

The persistence of this vulnerability in widely used versions like 2.6.1 underscores a cascading failure in the initial patch cycle. It forces organizations that believed they were patched to re-audit their entire Log4j deployment, configuration files, and dependency trees. The pressure is now on development and security teams to not only upgrade to Log4j 2.17.0 or later but also to meticulously review and potentially reconfigure their logging setups to close this secondary attack vector, a process that is often more complex and time-consuming than a simple library update.