Log4j CVE-2021-45046: Critical RCE Flaw Persists After Log4Shell Patch, Forces Upgrade to 2.17.1

A critical vulnerability tracked as CVE-2021-45046 has exposed an incomplete fix for the notorious Log4Shell vulnerability in Apache Log4j, leaving systems at risk of remote code execution even after organizations applied initial patches. Rated at CVSS 9.0 severity, the flaw affects org.apache.logging.log4j:log4j-core and reveals that the remediation released in version 2.15.0 failed to fully address the underlying attack vector in certain non-default configurations.

The vulnerability specifically targets systems where the logging configuration uses a non-default Pattern Layout with either a Context Lookup or a Thread Context Map pattern. Attackers who gain control over Thread Context Map (MDC) input data can craft malicious payloads using JNDI Lookup patterns, resulting in information disclosure and code execution. The scope is severe: remote code execution is possible in some environments, while local code execution can be achieved in all affected configurations. This demonstrates that the original Log4Shell fix left a significant attack surface intact.

Organizations running Log4j versions between 2.15.0 and 2.17.0 remain exposed. The remediation requires upgrading both log4j-api and log4j-core to version 2.17.1 or later. Security teams should audit all applications using Log4j, particularly those with custom Pattern Layout configurations, and verify that MDC input data is properly sanitized. The incident underscores the difficulty of fully eradicating complex injection vulnerabilities and the importance of comprehensive testing after security patches are deployed.