Apache Log4j2 Deserialization of Untrusted Data Vulnerability - 20230502002¶
Overview¶
CISA has added the Apache Log4j2 Deserialization of Untrusted Data Vulnerability to their list of Known Exploited Vulnerabilities Catalog.
In late 2021 it was discovered that Apache Log4j2 contained a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
What is the vulnerability?¶
CVE-2021-45046 - CVSS v3 Base Score: 9.0
What is vulnerable?¶
The vulnerability affects the following products:
- Apache Log4j, versions 2.0 - 2.15.0
Please see the advisory page for more details - CVE-2021-45046
What has been observed?¶
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing, however, the inclusion of the vulnerability on CISA's list indicates there is still active exploitation.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices: Oracle