Apache Revises CVE-2021-45046 Severity, Log4j 2.16.0 Still the Recommended Fix

On December 17, Apache updated the severity of CVE-2021-45046 to Critical with an updated CVSSv3 score of 9.0. According to the updates, under non-default configurations information leak and remote code execution (RCE) are possible. Apache notes that RCE has only been demonstrated on macOS at this time, but other environments have not yet been fully tested. At this time, the recommended update of 2.16.0 still applies for users of Java 8 or later. Java 7 users should upgrade to release 2.12.0 according to Apache.

More information about this and continuous updates from Apache can be found here. The plugins released for CVE-2021-45046 will be updated to reflect the new severity and CVSS scoring from Apache as soon as possible.

The list of Tenable plugins to identify this vulnerability can be found here as they’re released.

For more information about Log4Shell, please visit our blog. Please note that an additional blog post to provide more clarity around the latest CVEs impacting Log4j will be released later today.