CVE-2021-44832
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Las versiones de Apache Log4j2 de la 2.0-beta7 a la 2.17.0 (excluyendo las versiones de corrección de seguridad 2.3.2 y 2.12.4) son vulnerables a un ataque de ejecución remota de código (RCE) cuando una configuración utiliza un JDBC Appender con un URI de origen de datos JNDI LDAP cuando un atacante tiene el control del servidor LDAP de destino. Este problema se soluciona limitando los nombres de fuentes de datos JNDI al protocolo java en las versiones 2.17.1, 2.12.4 y 2.3.2 de Log4j2
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-12-11 CVE Reserved
- 2021-12-28 CVE Published
- 2022-01-03 First Exploit
- 2024-04-18 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
References (15)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2021/12/28/1 | Mailing List | |
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf | Third Party Advisory | |
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html | Mailing List | |
https://security.netapp.com/advisory/ntap-20220104-0001 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832 | 2022-01-03 |
URL | Date | SRC |
---|---|---|
https://issues.apache.org/jira/browse/LOG4J2-3293 | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpujul2022.html | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | >= 2.0.1 < 2.3.2 Search vendor "Apache" for product "Log4j" and version " >= 2.0.1 < 2.3.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | >= 2.4 < 2.12.4 Search vendor "Apache" for product "Log4j" and version " >= 2.4 < 2.12.4" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | >= 2.13.0 < 2.17.1 Search vendor "Apache" for product "Log4j" and version " >= 2.13.0 < 2.17.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | 2.0 Search vendor "Apache" for product "Log4j" and version "2.0" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | 2.0 Search vendor "Apache" for product "Log4j" and version "2.0" | beta7 |
Affected
| ||||||
Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | 2.0 Search vendor "Apache" for product "Log4j" and version "2.0" | beta8 |
Affected
| ||||||
Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | 2.0 Search vendor "Apache" for product "Log4j" and version "2.0" | beta9 |
Affected
| ||||||
Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | 2.0 Search vendor "Apache" for product "Log4j" and version "2.0" | rc1 |
Affected
| ||||||
Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | 2.0 Search vendor "Apache" for product "Log4j" and version "2.0" | rc2 |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router" | >= 8.0.0.0 <= 8.5.1.0 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0.0 <= 8.5.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Interactive Session Recorder Search vendor "Oracle" for product "Communications Interactive Session Recorder" | 6.3 Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Interactive Session Recorder Search vendor "Oracle" for product "Communications Interactive Session Recorder" | 6.4 Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 17.12.0 <= 17.12.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.11" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 18.8.0 <= 18.8.13 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.13" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 19.12.0 <= 19.12.12 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 20.12.0 <= 20.12.7 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 20.12.0 <= 20.12.7" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | 21.12.0 Search vendor "Oracle" for product "Primavera Gateway" and version "21.12.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | >= 19.12.0 <= 19.12.18.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 19.12.0 <= 19.12.18.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | >= 20.12.0.0 <= 20.12.12.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 20.12.0.0 <= 20.12.12.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | 21.12.0.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "21.12.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 21.12 Search vendor "Oracle" for product "Primavera Unifier" and version "21.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Assortment Planning Search vendor "Oracle" for product "Retail Assortment Planning" | 16.0.3 Search vendor "Oracle" for product "Retail Assortment Planning" and version "16.0.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Fiscal Management Search vendor "Oracle" for product "Retail Fiscal Management" | 14.2 Search vendor "Oracle" for product "Retail Fiscal Management" and version "14.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Siebel Ui Framework Search vendor "Oracle" for product "Siebel Ui Framework" | 21.12 Search vendor "Oracle" for product "Siebel Ui Framework" and version "21.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0" | - |
Affected
| ||||||
Cisco Search vendor "Cisco" | Cloudcenter Search vendor "Cisco" for product "Cloudcenter" | 4.10.0.16 Search vendor "Cisco" for product "Cloudcenter" and version "4.10.0.16" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" | < 12.0.0.4.6 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version " < 12.0.0.4.6" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" | 12.0.0.5.0 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "12.0.0.5.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router" | >= 8.3.0.0 <= 8.5.1.0 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.3.0.0 <= 8.5.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Interactive Session Recorder Search vendor "Oracle" for product "Communications Interactive Session Recorder" | 6.3 Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Interactive Session Recorder Search vendor "Oracle" for product "Communications Interactive Session Recorder" | 6.4 Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | < 12.0.0.4.4 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version " < 12.0.0.4.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | 12.0.0.5.0 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.5.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.1.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Health Sciences Data Management Workbench Search vendor "Oracle" for product "Health Sciences Data Management Workbench" | 2.5.2.1 Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "2.5.2.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Health Sciences Data Management Workbench Search vendor "Oracle" for product "Health Sciences Data Management Workbench" | 3.0.0.0 Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "3.0.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Health Sciences Data Management Workbench Search vendor "Oracle" for product "Health Sciences Data Management Workbench" | 3.1.0.3 Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "3.1.0.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Policy Automation Search vendor "Oracle" for product "Policy Automation" | >= 12.2.0 <= 12.2.24 Search vendor "Oracle" for product "Policy Automation" and version " >= 12.2.0 <= 12.2.24" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Policy Automation For Mobile Devices Search vendor "Oracle" for product "Policy Automation For Mobile Devices" | >= 12.2.0 <= 12.2.24 Search vendor "Oracle" for product "Policy Automation For Mobile Devices" and version " >= 12.2.0 <= 12.2.24" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 17.12.0 <= 17.12.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.11" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 18.8.0 <= 18.8.13 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.13" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 19.12.0 <= 19.12.12 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 20.12.0 <= 20.12.7 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 20.12.0 <= 20.12.7" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | 21.12.0 Search vendor "Oracle" for product "Primavera Gateway" and version "21.12.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | >= 19.12.0.0 <= 19.12.18.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 19.12.0.0 <= 19.12.18.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | >= 20.12.0.0 <= 20.12.12.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 20.12.0.0 <= 20.12.12.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" | 21.12.0.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "21.12.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 21.12 Search vendor "Oracle" for product "Primavera Unifier" and version "21.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Product Lifecycle Analytics Search vendor "Oracle" for product "Product Lifecycle Analytics" | 3.6.1 Search vendor "Oracle" for product "Product Lifecycle Analytics" and version "3.6.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker" | 18.0 Search vendor "Oracle" for product "Retail Order Broker" and version "18.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker" | 19.1 Search vendor "Oracle" for product "Retail Order Broker" and version "19.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 20.0.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "20.0.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 21.0.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "21.0.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Siebel Ui Framework Search vendor "Oracle" for product "Siebel Ui Framework" | <= 21.12 Search vendor "Oracle" for product "Siebel Ui Framework" and version " <= 21.12" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0" | - |
Affected
|