Attacker Value
(1 user assessed)
Very High
(1 user assessed)
User Interaction
Privileges Required
Attack Vector


Disclosure Date: December 14, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access


It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Add Assessment

Technical Analysis

Whilst this was originally considered a DoS vulnerability, new evidence has turned up as noted at and later at by Márcio Almeida that is possible to bypass the allowedLdapHost and allowedClasses checks in Log4J 2.15.0. to achieve RCE by simply modifying following PoC slightly:


This bypass works due to the call chain calling getHost() returning the value before the # sign as the real host, which will return However the actual JDNI/LDAP resolver will end up using the full hostname string, so provided you can get it to respond to the weird hostname, you should be good.

Further investigation however shows that this vulnerability is mostly mitigated by a few factors as noted by Kevin Beaumont at and in a further Twitter thread by @buherator at

Specifically the following restrictions apply:

  1. The vulnerability only applies in a nondefault configuration. Specifically %m{lookups} need to be enabled in the message log. On 2.15.0 message lookups come disabled by default, however previous versions may come shipped with this enabled by default.
  2. So far reliable RCE has only been demonstrated on MacOS, and most people aren’t going to be running critical apps on this device.
  3. Whilst it is possible to query the weird name LDAP name on other hosts, it appears, according to the thread at, that the Java resolver enforces restrictions that prevent the name from being resolved. Whilst is is possible to get around this, as noted at, it requires the DNS provider on the target system being set to a non-default provider.

It should be noted that developments on this are still ongoing so its likely the situation could change, however this is the latest info I have on this as of the evening of December 17th, 2021. Due to the restrictions I’m rating exploitability as very low as a lot of things must be true from the sounds of it for this to be exploitable, however if it is exploitable the impact is very high and is the same as the log4shell exploit.

It should be noted despite all this that there exists other issues within Log4j versions prior to 2.16 such as Praetorian’s demonstration of sensitive information exfiltration as noted at Therefore whilst this particular vulnerability may not be as impactful there are plenty of other reasons why you should upgrade to 2.16 or later of log4j if you haven’t already.

CVSS V3 Severity and Metrics
Base Score:
9.0 Critical
Impact Score:
Exploitability Score:
Attack Vector (AV):
Attack Complexity (AC):
Privileges Required (PR):
User Interaction (UI):
Scope (S):
Confidentiality (C):
Integrity (I):
Availability (A):

General Information


  • apache,
  • debian,
  • fedoraproject,
  • intel,
  • siemens,
  • sonicwall


  • 6bk1602-0aa12-0tp0 firmware,
  • 6bk1602-0aa22-0tp0 firmware,
  • 6bk1602-0aa32-0tp0 firmware,
  • 6bk1602-0aa42-0tp0 firmware,
  • 6bk1602-0aa52-0tp0 firmware,
  • audio development kit -,
  • captial,
  • captial 2019.1,
  • comos,
  • computer vision annotation tool -,
  • datacenter manager -,
  • debian linux 10.0,
  • debian linux 11.0,
  • desigo cc advanced reports 4.0,
  • desigo cc advanced reports 4.1,
  • desigo cc advanced reports 4.2,
  • desigo cc advanced reports 5.0,
  • desigo cc advanced reports 5.1,
  • desigo cc info center 5.0,
  • desigo cc info center 5.1,
  • e-car operation center,
  • email security,
  • energy engage 3.1,
  • energyip 8.5,
  • energyip 8.6,
  • energyip 8.7,
  • energyip 9.0,
  • energyip prepay 3.7,
  • energyip prepay 3.8,
  • fedora 34,
  • fedora 35,
  • genomics kernel library -,
  • gma-manager,
  • head-end system universal device integration system,
  • industrial edge management,
  • industrial edge management hub,
  • log4j,
  • log4j 2.0,
  • logo! soft comfort,
  • mendix,
  • mindsphere,
  • navigator,
  • nx,
  • oneapi -,
  • opcenter intelligence,
  • operation scheduler,
  • secure device onboard -,
  • sensor solution firmware development kit -,
  • sentron powermanager 4.1,
  • sentron powermanager 4.2,
  • siguard dsa 4.2,
  • siguard dsa 4.3,
  • siguard dsa 4.4,
  • sipass integrated 2.80,
  • sipass integrated 2.85,
  • siveillance command,
  • siveillance control pro,
  • siveillance identity 1.5,
  • siveillance identity 1.6,
  • siveillance vantage,
  • siveillance viewpoint,
  • solid edge cam pro,
  • solid edge harness design,
  • solid edge harness design 2020,
  • spectrum power 4,
  • spectrum power 4 4.70,
  • spectrum power 7,
  • spectrum power 7 2.30,
  • sppa-t3000 ses3000 firmware,
  • system debugger -,
  • system studio -,
  • teamcenter,
  • tracealertserverplus,
  • vesys,
  • vesys 2019.1,
  • xpedition enterprise -,
  • xpedition package integrator -



Additional Info

Technical Analysis