Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Summary

Apache Log4j was found to have an incomplete fix for CVE-2021-44228 in version 2.15.0 under certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data--when the logging configuration uses a non-default "PatternLayout" with either a context lookup (for example, "${ctx:loginId}") or a Thread Context Map pattern (such as "%X", "%mdc", or "%MDC")--to craft malicious input using a JNDI lookup pattern. This may result in an information leak and remote code execution in some environments, and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for "message lookup patterns" and disabling "JNDI functionality" by default. This issue affects package log4j-core versions 2.0-beta9 through 2.3, 2.4 through 2.12.1, and 2.13.0 through 2.15.0, and the package org.ops4j.pax.logging:pax-logging-log4j2 versions 1.8.0 through 1.9.1, 1.10.0 through 1.10.7, 1.11.0 through 1.11.10, and 2.0.0 through 2.0.11.