CVE-2021-44832

Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

Severity Score

6.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Las versiones de Apache Log4j2 de la 2.0-beta7 a la 2.17.0 (excluyendo las versiones de corrección de seguridad 2.3.2 y 2.12.4) son vulnerables a un ataque de ejecución remota de código (RCE) cuando una configuración utiliza un JDBC Appender con un URI de origen de datos JNDI LDAP cuando un atacante tiene el control del servidor LDAP de destino. Este problema se soluciona limitando los nombres de fuentes de datos JNDI al protocolo java en las versiones 2.17.1, 2.12.4 y 2.3.2 de Log4j2

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-12-11 CVE Reserved
2021-12-28 CVE Published
2022-01-03 First Exploit
2024-04-18 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CAPEC

References (15)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/12/28/1	Mailing List
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html	Mailing List
https://security.netapp.com/advisory/ntap-20220104-0001	Third Party Advisory

URL	Date	SRC
https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832	2022-01-03

URL	Date	SRC
https://issues.apache.org/jira/browse/LOG4J2-3293	2023-11-07
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpujul2022.html	2023-11-07

URL	Date	SRC
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC	2023-11-07
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-44832	2022-04-11
https://bugzilla.redhat.com/show_bug.cgi?id=2035951	2022-04-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				>= 2.0.1 < 2.3.2 Search vendor "Apache" for product "Log4j" and version " >= 2.0.1 < 2.3.2"		-		Affected
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				>= 2.4 < 2.12.4 Search vendor "Apache" for product "Log4j" and version " >= 2.4 < 2.12.4"		-		Affected
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				>= 2.13.0 < 2.17.1 Search vendor "Apache" for product "Log4j" and version " >= 2.13.0 < 2.17.1"		-		Affected
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				2.0 Search vendor "Apache" for product "Log4j" and version "2.0"		-		Affected
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				2.0 Search vendor "Apache" for product "Log4j" and version "2.0"		beta7		Affected
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				2.0 Search vendor "Apache" for product "Log4j" and version "2.0"		beta8		Affected
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				2.0 Search vendor "Apache" for product "Log4j" and version "2.0"		beta9		Affected
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				2.0 Search vendor "Apache" for product "Log4j" and version "2.0"		rc1		Affected
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				2.0 Search vendor "Apache" for product "Log4j" and version "2.0"		rc2		Affected
Oracle Search vendor "Oracle"		Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router"				>= 8.0.0.0 <= 8.5.1.0 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0.0 <= 8.5.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Interactive Session Recorder Search vendor "Oracle" for product "Communications Interactive Session Recorder"				6.3 Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Interactive Session Recorder Search vendor "Oracle" for product "Communications Interactive Session Recorder"				6.4 Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.4"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 17.12.0 <= 17.12.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.11"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 18.8.0 <= 18.8.13 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.13"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 19.12.0 <= 19.12.12 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 20.12.0 <= 20.12.7 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 20.12.0 <= 20.12.7"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				21.12.0 Search vendor "Oracle" for product "Primavera Gateway" and version "21.12.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 19.12.0 <= 19.12.18.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 19.12.0 <= 19.12.18.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 20.12.0.0 <= 20.12.12.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 20.12.0.0 <= 20.12.12.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				21.12.0.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "21.12.0.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				21.12 Search vendor "Oracle" for product "Primavera Unifier" and version "21.12"		-		Affected
Oracle Search vendor "Oracle"		Retail Assortment Planning Search vendor "Oracle" for product "Retail Assortment Planning"				16.0.3 Search vendor "Oracle" for product "Retail Assortment Planning" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Fiscal Management Search vendor "Oracle" for product "Retail Fiscal Management"				14.2 Search vendor "Oracle" for product "Retail Fiscal Management" and version "14.2"		-		Affected
Oracle Search vendor "Oracle"		Siebel Ui Framework Search vendor "Oracle" for product "Siebel Ui Framework"				21.12 Search vendor "Oracle" for product "Siebel Ui Framework" and version "21.12"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"		-		Affected
Cisco Search vendor "Cisco"		Cloudcenter Search vendor "Cisco" for product "Cloudcenter"				4.10.0.16 Search vendor "Cisco" for product "Cloudcenter" and version "4.10.0.16"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine"				< 12.0.0.4.6 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version " < 12.0.0.4.6"		-		Affected
Oracle Search vendor "Oracle"		Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine"				12.0.0.5.0 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "12.0.0.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router"				>= 8.3.0.0 <= 8.5.1.0 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.3.0.0 <= 8.5.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Interactive Session Recorder Search vendor "Oracle" for product "Communications Interactive Session Recorder"				6.3 Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Interactive Session Recorder Search vendor "Oracle" for product "Communications Interactive Session Recorder"				6.4 Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.4"		-		Affected
Oracle Search vendor "Oracle"		Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller"				< 12.0.0.4.4 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version " < 12.0.0.4.4"		-		Affected
Oracle Search vendor "Oracle"		Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller"				12.0.0.5.0 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.5.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking"				12.1.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0"		-		Affected
Oracle Search vendor "Oracle"		Health Sciences Data Management Workbench Search vendor "Oracle" for product "Health Sciences Data Management Workbench"				2.5.2.1 Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "2.5.2.1"		-		Affected
Oracle Search vendor "Oracle"		Health Sciences Data Management Workbench Search vendor "Oracle" for product "Health Sciences Data Management Workbench"				3.0.0.0 Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "3.0.0.0"		-		Affected
Oracle Search vendor "Oracle"		Health Sciences Data Management Workbench Search vendor "Oracle" for product "Health Sciences Data Management Workbench"				3.1.0.3 Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "3.1.0.3"		-		Affected
Oracle Search vendor "Oracle"		Policy Automation Search vendor "Oracle" for product "Policy Automation"				>= 12.2.0 <= 12.2.24 Search vendor "Oracle" for product "Policy Automation" and version " >= 12.2.0 <= 12.2.24"		-		Affected
Oracle Search vendor "Oracle"		Policy Automation For Mobile Devices Search vendor "Oracle" for product "Policy Automation For Mobile Devices"				>= 12.2.0 <= 12.2.24 Search vendor "Oracle" for product "Policy Automation For Mobile Devices" and version " >= 12.2.0 <= 12.2.24"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 17.12.0 <= 17.12.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.11"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 18.8.0 <= 18.8.13 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.13"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 19.12.0 <= 19.12.12 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 20.12.0 <= 20.12.7 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 20.12.0 <= 20.12.7"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				21.12.0 Search vendor "Oracle" for product "Primavera Gateway" and version "21.12.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 19.12.0.0 <= 19.12.18.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 19.12.0.0 <= 19.12.18.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				>= 20.12.0.0 <= 20.12.12.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 20.12.0.0 <= 20.12.12.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				21.12.0.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "21.12.0.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				21.12 Search vendor "Oracle" for product "Primavera Unifier" and version "21.12"		-		Affected
Oracle Search vendor "Oracle"		Product Lifecycle Analytics Search vendor "Oracle" for product "Product Lifecycle Analytics"				3.6.1 Search vendor "Oracle" for product "Product Lifecycle Analytics" and version "3.6.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker"				18.0 Search vendor "Oracle" for product "Retail Order Broker" and version "18.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker"				19.1 Search vendor "Oracle" for product "Retail Order Broker" and version "19.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				20.0.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "20.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				21.0.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "21.0.1"		-		Affected
Oracle Search vendor "Oracle"		Siebel Ui Framework Search vendor "Oracle" for product "Siebel Ui Framework"				<= 21.12 Search vendor "Oracle" for product "Siebel Ui Framework" and version " <= 21.12"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"		-		Affected