Vulnerability DatabaseCVE-2021-44832
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2021-44832
December 28, 2021
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Affected Packages
org.ops4j.pax.logging:pax-logging-log4j2 (JAVA):
Affected version(s) >=2.0.0 <2.0.14
Fix Suggestion:
Update to version 2.0.14
org.ops4j.pax.logging:pax-logging-log4j2 (JAVA):
Affected version(s) >=1.11.0 <1.11.13
Fix Suggestion:
Update to version 1.11.13
org.apache.logging.log4j:log4j-core (JAVA):
Affected version(s) >=2.4 <2.12.4
Fix Suggestion:
Update to version 2.12.4
org.apache.logging.log4j:log4j-core (JAVA):
Affected version(s) >=2.0-beta7 <2.3.2
Fix Suggestion:
Update to version 2.3.2
org.ops4j.pax.logging:pax-logging-log4j2 (JAVA):
Affected version(s) >=1.10.0 <1.10.9
Fix Suggestion:
Update to version 1.10.9
org.apache.logging.log4j:log4j-core (JAVA):
Affected version(s) >=2.13.0 <2.17.1
Fix Suggestion:
Update to version 2.17.1
org.ops4j.pax.logging:pax-logging-log4j2 (JAVA):
Affected version(s) >=1.8.0 <1.9.2
Fix Suggestion:
Update to version 1.9.2
Related ResourcesĀ (18)
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
https://www.oracle.com/security-alerts/cpujan2022.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://www.oracle.com/security-alerts/cpujul2022.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
https://nvd.nist.gov/vuln/detail/CVE-2021-44832
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
http://www.openwall.com/lists/oss-security/2021/12/28/1
https://security.netapp.com/advisory/ntap-20220104-0001
https://www.oracle.com/security-alerts/cpuapr2022.html
https://issues.apache.org/jira/browse/LOG4J2-3293
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC
https://github.com/apache/logging-log4j2
https://security.netapp.com/advisory/ntap-20220104-0001/
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
ATTACKED
CVSS v3
Base Score:
6.6
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Exploit Maturity
HIGH
CVSS v2
Base Score:
8.5
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
Weakness Type (CWE)
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-74
Improper Input Validation
CWE-20
EPSS
Base Score:
10.0