Log4j 2.15.0 Security Patch Incomplete, CVE-2021-45046 Exposes Systems to Continued Risk

A critical security update for the ubiquitous Apache Log4j logging library has been found to be incomplete, leaving systems vulnerable to attack even after applying the initial patch. The vulnerability, tracked as CVE-2021-45046, is a follow-on flaw that undermines the fix for the original Log4Shell exploit (CVE-2021-44228). This means that organizations that patched to version 2.15.0 in response to the global emergency may still be exposed under certain non-default configurations, creating a dangerous false sense of security.

The issue resides in Apache Log4j 2.15.0. The incomplete fix allows attackers who can control Thread Context Map (MDC) input data to execute arbitrary code when a specific, non-default logging configuration is in use. This represents a significant escalation path for persistent threat actors who have been probing for Log4j vulnerabilities since the Log4Shell disclosure. The dependency update referenced in the GitHub pull request explicitly moves systems from the vulnerable version 2.14.1 to the secure version 2.25.4, bypassing the flawed 2.15.0 patch entirely.

The persistence of this vulnerability underscores the cascading nature of the Log4j crisis and the intense pressure on development and security teams to validate their remediation steps fully. It signals that the patching process is not a one-time event but requires continuous verification. For any organization using Java-based applications, this development necessitates an immediate audit to confirm that systems have been upgraded beyond 2.15.0 to a version that fully addresses both CVEs, such as 2.17.0 or later.