Test ID:	1.3.6.1.4.1.25623.1.0.117904
Category:	Web application abuses
Title:	Apache Struts 2.5.x < 2.5.28.1 Log4j RCE Vulnerability
Summary:	Apache Struts is prone to a remote code execution (RCE); vulnerability in the Apache Log4j library.
Description:	Summary: Apache Struts is prone to a remote code execution (RCE) vulnerability in the Apache Log4j library. Vulnerability Insight: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Affected Software/OS: Apache Struts version 2.5.x prior to 2.5.28.1. Solution: Update to version 2.5.28.1 or later. CVSS Score: 5.1 CVSS Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2021-45046 https://security.gentoo.org/glsa/202310-16 20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd DSA-5022 https://www.debian.org/security/2021/dsa-5022 FEDORA-2021-5c9d12a93e https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/ FEDORA-2021-abbe24e41c https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/ VU#930724 https://www.kb.cert.org/vuls/id/930724 [oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack http://www.openwall.com/lists/oss-security/2021/12/14/4 [oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack http://www.openwall.com/lists/oss-security/2021/12/15/3 [oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack http://www.openwall.com/lists/oss-security/2021/12/18/1 https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf https://logging.apache.org/log4j/2.x/security.html https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 https://www.cve.org/CVERecord?id=CVE-2021-44228 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html https://www.oracle.com/security-alerts/alert-cve-2021-44228.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpujul2022.html
Copyright	Copyright (C) 2022 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.