CVE-2021-44228 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2021-44228

CVE-2021-44228

December 10, 2021

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Affected Packages

org.apache.logging.log4j:log4j-core (JAVA):

Affected version(s) >=2.13.0 <2.15.0

Fix Suggestion:

Update to version 2.15.0

org.apache.logging.log4j:log4j-core (JAVA):

Affected version(s) >=2.0-beta9 <2.3.1

Fix Suggestion:

Update to version 2.3.1

org.apache.logging.log4j:log4j-core (JAVA):

Affected version(s) >=2.4 <2.12.2

Fix Suggestion:

Update to version 2.12.2

org.ops4j.pax.logging:pax-logging-log4j2 (JAVA):

Affected version(s) >=2.0.0 <2.0.11

Fix Suggestion:

Update to version 2.0.11

org.ops4j.pax.logging:pax-logging-log4j2 (JAVA):

Affected version(s)

Fix Suggestion:

Update to version 1.11.10

org.ops4j.pax.logging:pax-logging-log4j2 (JAVA):

Affected version(s)

Fix Suggestion:

Update to version 1.9.2

org.ops4j.pax.logging:pax-logging-log4j2 (JAVA):

Affected version(s)

Fix Suggestion:

Update to version 1.10.8

Related Resources (83)

http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html

https://www.oracle.com/security-alerts/cpujan2022.html

http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html

http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html

https://github.com/apache/logging-log4j2

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB

https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html

http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html

http://seclists.org/fulldisclosure/2022/Dec/2

https://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html

http://www.openwall.com/lists/oss-security/2021/12/10/3

https://security.netapp.com/advisory/ntap-20211210-0007

http://seclists.org/fulldisclosure/2022/Jul/11

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228

https://github.com/tangxiaofeng7/apache-log4j-poc

https://security-tracker.debian.org/tracker/CVE-2021-44228

http://seclists.org/fulldisclosure/2022/Mar/23

http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html

http://www.openwall.com/lists/oss-security/2021/12/10/2

http://www.openwall.com/lists/oss-security/2021/12/10/1

http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html

https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md

http://www.openwall.com/lists/oss-security/2021/12/15/3

http://www.openwall.com/lists/oss-security/2021/12/13/2

https://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html

https://github.com/cisagov/log4j-affected-db

https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://www.debian.org/security/2021/dsa-5020

https://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf

https://github.com/ops4j/org.ops4j.pax.logging

https://www.oracle.com/security-alerts/alert-cve-2021-44228.html

http://www.openwall.com/lists/oss-security/2021/12/13/1

https://twitter.com/kurtseifried/status/1469345530182455296

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2

https://github.com/apache/logging-log4j2/pull/608

http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html

http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html

https://seclists.org/fulldisclosure/2022/Mar/23

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228

https://seclists.org/fulldisclosure/2022/Dec/2

https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0

https://github.com/github/advisory-database/pull/5501

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/

http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html

http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM

https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001

http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html

http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html

https://support.apple.com/kb/HT213189

https://logging.apache.org/log4j/2.x/security.html

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html

https://github.com/ops4j/org.ops4j.pax.logging/security/advisories/GHSA-xxfh-x98p-j8fr

https://github.com/advisories/GHSA-7rjr-3q55-vv33

https://seclists.org/fulldisclosure/2022/Jul/11

https://www.oracle.com/security-alerts/cpuapr2022.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/

https://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html

https://www.kb.cert.org/vuls/id/930724

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM

https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

http://www.openwall.com/lists/oss-security/2021/12/14/4

https://issues.apache.org/jira/browse/LOG4J2-3221

https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup

http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html

http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html

https://issues.apache.org/jira/browse/LOG4J2-3214

https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf

https://security.netapp.com/advisory/ntap-20211210-0007/

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032

https://issues.apache.org/jira/browse/LOG4J2-3201

http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html

https://issues.apache.org/jira/browse/LOG4J2-3198

http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html

https://logging.apache.org/log4j/2.x/manual/migration.html

Do you need more information?

CVSS v4

Base Score:

10.0

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

HIGH

Subsequent System Integrity

HIGH

Subsequent System Availability

HIGH

Exploit Maturity

ATTACKED

CVSS v3

Base Score:

10.0

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Exploit Maturity

HIGH

CVSS v2

Base Score:

9.3

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

Weakness Type (CWE)

Uncontrolled Resource Consumption

Improper Input Validation

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Deserialization of Untrusted Data

EPSS

Base Score:

10.0