Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2021-44832

UNKNOWN
Published 2021-12-28T19:35:11
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-44832. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache Software Foundation

Apache Log4j2

Affected Versions:

log4j-core

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Improper Input Validation and Injection in Apache Log4j2

GHSA-8489-44mv-ggj8

Advisory Details

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. # Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use. This issue does not impact default configurations of Log4j2 and requires an attacker to have control over the Log4j2 configuration, which reduces the likelihood of being exploited.

Affected Packages

Maven org.apache.logging.log4j:log4j-core
ECOSYSTEM: ≥2.0-beta7 <2.3.2
Maven org.apache.logging.log4j:log4j-core
ECOSYSTEM: ≥2.4 <2.12.4
Maven org.apache.logging.log4j:log4j-core
ECOSYSTEM: ≥2.13.0 <2.17.1
Maven org.ops4j.pax.logging:pax-logging-log4j2
ECOSYSTEM: ≥1.8.0 <1.9.2
Maven org.ops4j.pax.logging:pax-logging-log4j2
ECOSYSTEM: ≥1.10.0 <1.10.9
Maven org.ops4j.pax.logging:pax-logging-log4j2
ECOSYSTEM: ≥1.11.0 <1.11.13
Maven org.ops4j.pax.logging:pax-logging-log4j2
ECOSYSTEM: ≥2.0.0 <2.0.14

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-44832
WEB https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
PACKAGE https://github.com/apache/logging-log4j2
WEB https://issues.apache.org/jira/browse/LOG4J2-3293
WEB https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
WEB https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC
WEB https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
WEB https://security.netapp.com/advisory/ntap-20220104-0001
WEB https://www.oracle.com/security-alerts/cpuapr2022.html
WEB https://www.oracle.com/security-alerts/cpujan2022.html
WEB https://www.oracle.com/security-alerts/cpujul2022.html
WEB http://www.openwall.com/lists/oss-security/2021/12/28/1

Advisory provided by GitHub Security Advisory Database. Published: January 4, 2022, Modified: May 9, 2025

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
https://issues.apache.org/jira/browse/LOG4J2-3293
http://www.openwall.com/lists/oss-security/2021/12/28/1
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
https://www.oracle.com/security-alerts/cpujan2022.html
https://security.netapp.com/advisory/ntap-20220104-0001/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
Published: 2021-12-28T19:35:11
Last Modified: 2024-08-04T04:32:13.076Z
Copied to clipboard!