CVE-2021-45046 is an Apache Log4j 2 vulnerability caused by an incomplete fix for CVE-2021-44228 in Log4j 2.15.0. In certain non-default configurations, attacker-controlled data placed into the Thread Context Map (MDC) can still be interpreted through Pattern Layout features such as Context Lookup or Thread Context Map patterns. When malicious JNDI lookup syntax is embedded in that data, Log4j may perform unintended lookups despite the earlier mitigation, resulting in information disclosure and, in some environments, remote code execution. The issue affects deployments using vulnerable Log4j 2 releases where the logging configuration includes non-default Pattern Layout behavior involving context data. Apache addressed the issue in Log4j 2.16.0 for Java 8 and 2.12.2 for Java 7 by removing message lookup functionality and disabling JNDI by default.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (15 hidden).
This repository is a defensive Log4Shell lab rather than a standalone offensive exploit drop, but it does contain working exploit components. The structure combines: (1) a vulnerable target container (`log4shell-app`, based on a public Spring Boot Log4j 2.14.1 image), (2) an nginx reverse proxy with the Coraza WAF and OWASP CRS plus custom Log4Shell rules, (3) an attacker container that builds and packages multiple JNDI exploitation toolkits, and (4) Suricata/Wazuh monitoring for network and SIEM visibility. The main exploit capability lives under `attacker/`. `attacker/exploit-classes/Exploit.java` is a malicious Java class intended to be loaded through a JNDI/LDAP reference. Its static initializer executes immediately on class load and performs proof-of-exploitation actions: OS-specific command execution to write a marker file, creation of `/tmp/log4shell-exploited.txt`, and an optional reverse shell routine that connects to `172.20.0.2:4444`. There is also a stubbed environment-information collection method. This makes the repo more than a detector: it includes an actual RCE payload class. `attacker/scripts/start-ldap-server.sh` operationalizes exploitation by launching one of three JNDI infrastructures: marshalsec, JNDI-Exploit-Kit, or rogue-jndi. These are configured to serve the malicious class or execute simple commands/callbacks. `attacker/scripts/test-payloads.sh` is a payload spray/test harness that sends many Log4Shell payload variants to the nginx proxy using common injection points such as `User-Agent` and `X-Forwarded-For`. It includes LDAP, RMI, DNS, nested-expression, env/sys fallback, Unicode, whitespace, and colon-dash obfuscation variants. This script is primarily for validation of WAF/IDS coverage, but it also demonstrates realistic attack strings. The rest of the repository is focused on detection and containment. `coraza/config/log4shell-rules.conf` defines custom Coraza rules for standard and obfuscated JNDI patterns, alternate protocols, JSON/XML body inspection, and anomaly-score blocking. `nginx/` contains a multi-stage Docker build that compiles libcoraza and the coraza-nginx module, installs OWASP CRS, and exposes HTTP/HTTPS reverse proxying to the vulnerable app. `suricata/rules/log4shell.rules` adds network signatures for inbound JNDI payloads and outbound LDAP/RMI/DNS/HTTP callbacks that would indicate successful exploitation. Overall purpose: provide an isolated lab to demonstrate the full Log4Shell attack chain and, more importantly, how nginx+Coraza and Suricata can detect/block it. Because the repository includes a real malicious Java payload and scripts to stand up LDAP/JNDI exploit servers, it should be classified as a valid exploit-capable lab with operational payloads, not merely documentation or a pure detection script.
This repository is a proof-of-concept (PoC) exploit for CVE-2021-45046, a vulnerability in Apache Log4j 2.15.0 related to incomplete fixes for the original Log4Shell issue. The repository contains a simple Java web application using Log4j 2.15.0, with a vulnerable logging configuration (PatternLayout with Context Lookup) defined in 'log4j2.xml'. The main Java class ('Test.java') demonstrates how ThreadContext can be manipulated to inject a lookup string, and then logs an error message, which would trigger the vulnerable code path. The README provides background on the vulnerability and an example JNDI payload string that could be used to exploit the issue. The repository structure includes standard Java Maven project files, configuration files, and a JSP file that also performs logging. The exploit demonstrates how an attacker could leverage crafted input to trigger a JNDI lookup, potentially leading to remote code execution or denial of service on vulnerable systems.
This repository provides a Python script ('Log4Shell-obfuscated-payloads-generator.py') that generates obfuscated payloads for exploiting the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046) in Apache Log4j. The script supports generating both 'primary' and 'secondary' obfuscated payloads, which are designed to evade Web Application Firewalls (WAFs) by using various string obfuscation techniques. Payload templates and obfuscation patterns are stored in separate template files, allowing for flexible and randomized payload generation. The main script takes command-line arguments to specify the type and number of payloads to generate, as well as the attacker's callback server (typically a DNS or LDAP server under the attacker's control). The generated payloads are intended for use in penetration testing or red teaming to test the effectiveness of WAFs and detection systems against Log4Shell-style attacks. The repository is well-structured, with clear separation between code, templates, and documentation (including both English and Chinese README files).
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
36 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical vulnerability patched in Oracle Fusion Middleware that can lead to remote code execution.
A Log4j-related vulnerability listed among issues suspected to be exploited by Iran-linked actors; the content groups it with legacy but widely exploitable Log4j issues.
Apache Log4j vulnerability referenced alongside Log4Shell in the content (no additional details provided).
A Log4j vulnerability used alongside CVE-2021-44228 to compromise a VMware Horizon server in the intrusion described.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.