// For flags

CVE-2021-44832

Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

Severity Score

6.6
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Las versiones de Apache Log4j2 de la 2.0-beta7 a la 2.17.0 (excluyendo las versiones de corrección de seguridad 2.3.2 y 2.12.4) son vulnerables a un ataque de ejecución remota de código (RCE) cuando una configuración utiliza un JDBC Appender con un URI de origen de datos JNDI LDAP cuando un atacante tiene el control del servidor LDAP de destino. Este problema se soluciona limitando los nombres de fuentes de datos JNDI al protocolo java en las versiones 2.17.1, 2.12.4 y 2.3.2 de Log4j2

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-12-11 CVE Reserved
  • 2021-12-28 CVE Published
  • 2022-01-03 First Exploit
  • 2024-04-18 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-20: Improper Input Validation
  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Log4j
Search vendor "Apache" for product "Log4j"
>= 2.0.1 < 2.3.2
Search vendor "Apache" for product "Log4j" and version " >= 2.0.1 < 2.3.2"
-
Affected
Apache
Search vendor "Apache"
Log4j
Search vendor "Apache" for product "Log4j"
>= 2.4 < 2.12.4
Search vendor "Apache" for product "Log4j" and version " >= 2.4 < 2.12.4"
-
Affected
Apache
Search vendor "Apache"
Log4j
Search vendor "Apache" for product "Log4j"
>= 2.13.0 < 2.17.1
Search vendor "Apache" for product "Log4j" and version " >= 2.13.0 < 2.17.1"
-
Affected
Apache
Search vendor "Apache"
Log4j
Search vendor "Apache" for product "Log4j"
2.0
Search vendor "Apache" for product "Log4j" and version "2.0"
-
Affected
Apache
Search vendor "Apache"
Log4j
Search vendor "Apache" for product "Log4j"
2.0
Search vendor "Apache" for product "Log4j" and version "2.0"
beta7
Affected
Apache
Search vendor "Apache"
Log4j
Search vendor "Apache" for product "Log4j"
2.0
Search vendor "Apache" for product "Log4j" and version "2.0"
beta8
Affected
Apache
Search vendor "Apache"
Log4j
Search vendor "Apache" for product "Log4j"
2.0
Search vendor "Apache" for product "Log4j" and version "2.0"
beta9
Affected
Apache
Search vendor "Apache"
Log4j
Search vendor "Apache" for product "Log4j"
2.0
Search vendor "Apache" for product "Log4j" and version "2.0"
rc1
Affected
Apache
Search vendor "Apache"
Log4j
Search vendor "Apache" for product "Log4j"
2.0
Search vendor "Apache" for product "Log4j" and version "2.0"
rc2
Affected
Oracle
Search vendor "Oracle"
Communications Diameter Signaling Router
Search vendor "Oracle" for product "Communications Diameter Signaling Router"
>= 8.0.0.0 <= 8.5.1.0
Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.0.0.0 <= 8.5.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Interactive Session Recorder
Search vendor "Oracle" for product "Communications Interactive Session Recorder"
6.3
Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.3"
-
Affected
Oracle
Search vendor "Oracle"
Communications Interactive Session Recorder
Search vendor "Oracle" for product "Communications Interactive Session Recorder"
6.4
Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.4"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 17.12.0 <= 17.12.11
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.11"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 18.8.0 <= 18.8.13
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.13"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 19.12.0 <= 19.12.12
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 20.12.0 <= 20.12.7
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 20.12.0 <= 20.12.7"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
21.12.0
Search vendor "Oracle" for product "Primavera Gateway" and version "21.12.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
>= 19.12.0 <= 19.12.18.0
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 19.12.0 <= 19.12.18.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
>= 20.12.0.0 <= 20.12.12.0
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 20.12.0.0 <= 20.12.12.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
21.12.0.0
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "21.12.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
18.8
Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
19.12
Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
20.12
Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
21.12
Search vendor "Oracle" for product "Primavera Unifier" and version "21.12"
-
Affected
Oracle
Search vendor "Oracle"
Retail Assortment Planning
Search vendor "Oracle" for product "Retail Assortment Planning"
16.0.3
Search vendor "Oracle" for product "Retail Assortment Planning" and version "16.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Retail Fiscal Management
Search vendor "Oracle" for product "Retail Fiscal Management"
14.2
Search vendor "Oracle" for product "Retail Fiscal Management" and version "14.2"
-
Affected
Oracle
Search vendor "Oracle"
Siebel Ui Framework
Search vendor "Oracle" for product "Siebel Ui Framework"
21.12
Search vendor "Oracle" for product "Siebel Ui Framework" and version "21.12"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
12.2.1.3.0
Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
12.2.1.4.0
Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
14.1.1.0.0
Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"
-
Affected
Cisco
Search vendor "Cisco"
Cloudcenter
Search vendor "Cisco" for product "Cloudcenter"
4.10.0.16
Search vendor "Cisco" for product "Cloudcenter" and version "4.10.0.16"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Brm - Elastic Charging Engine
Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine"
< 12.0.0.4.6
Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version " < 12.0.0.4.6"
-
Affected
Oracle
Search vendor "Oracle"
Communications Brm - Elastic Charging Engine
Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine"
12.0.0.5.0
Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "12.0.0.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Diameter Signaling Router
Search vendor "Oracle" for product "Communications Diameter Signaling Router"
>= 8.3.0.0 <= 8.5.1.0
Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version " >= 8.3.0.0 <= 8.5.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Interactive Session Recorder
Search vendor "Oracle" for product "Communications Interactive Session Recorder"
6.3
Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.3"
-
Affected
Oracle
Search vendor "Oracle"
Communications Interactive Session Recorder
Search vendor "Oracle" for product "Communications Interactive Session Recorder"
6.4
Search vendor "Oracle" for product "Communications Interactive Session Recorder" and version "6.4"
-
Affected
Oracle
Search vendor "Oracle"
Communications Offline Mediation Controller
Search vendor "Oracle" for product "Communications Offline Mediation Controller"
< 12.0.0.4.4
Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version " < 12.0.0.4.4"
-
Affected
Oracle
Search vendor "Oracle"
Communications Offline Mediation Controller
Search vendor "Oracle" for product "Communications Offline Mediation Controller"
12.0.0.5.0
Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Flexcube Private Banking
Search vendor "Oracle" for product "Flexcube Private Banking"
12.1.0
Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Health Sciences Data Management Workbench
Search vendor "Oracle" for product "Health Sciences Data Management Workbench"
2.5.2.1
Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "2.5.2.1"
-
Affected
Oracle
Search vendor "Oracle"
Health Sciences Data Management Workbench
Search vendor "Oracle" for product "Health Sciences Data Management Workbench"
3.0.0.0
Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "3.0.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Health Sciences Data Management Workbench
Search vendor "Oracle" for product "Health Sciences Data Management Workbench"
3.1.0.3
Search vendor "Oracle" for product "Health Sciences Data Management Workbench" and version "3.1.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Policy Automation
Search vendor "Oracle" for product "Policy Automation"
>= 12.2.0 <= 12.2.24
Search vendor "Oracle" for product "Policy Automation" and version " >= 12.2.0 <= 12.2.24"
-
Affected
Oracle
Search vendor "Oracle"
Policy Automation For Mobile Devices
Search vendor "Oracle" for product "Policy Automation For Mobile Devices"
>= 12.2.0 <= 12.2.24
Search vendor "Oracle" for product "Policy Automation For Mobile Devices" and version " >= 12.2.0 <= 12.2.24"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 17.12.0 <= 17.12.11
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.11"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 18.8.0 <= 18.8.13
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.13"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 19.12.0 <= 19.12.12
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 20.12.0 <= 20.12.7
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 20.12.0 <= 20.12.7"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
21.12.0
Search vendor "Oracle" for product "Primavera Gateway" and version "21.12.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
>= 19.12.0.0 <= 19.12.18.0
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 19.12.0.0 <= 19.12.18.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
>= 20.12.0.0 <= 20.12.12.0
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version " >= 20.12.0.0 <= 20.12.12.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera P6 Enterprise Project Portfolio Management
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"
21.12.0.0
Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "21.12.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
18.8
Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
19.12
Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
20.12
Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
21.12
Search vendor "Oracle" for product "Primavera Unifier" and version "21.12"
-
Affected
Oracle
Search vendor "Oracle"
Product Lifecycle Analytics
Search vendor "Oracle" for product "Product Lifecycle Analytics"
3.6.1
Search vendor "Oracle" for product "Product Lifecycle Analytics" and version "3.6.1"
-
Affected
Oracle
Search vendor "Oracle"
Retail Order Broker
Search vendor "Oracle" for product "Retail Order Broker"
18.0
Search vendor "Oracle" for product "Retail Order Broker" and version "18.0"
-
Affected
Oracle
Search vendor "Oracle"
Retail Order Broker
Search vendor "Oracle" for product "Retail Order Broker"
19.1
Search vendor "Oracle" for product "Retail Order Broker" and version "19.1"
-
Affected
Oracle
Search vendor "Oracle"
Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
17.0.4
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4"
-
Affected
Oracle
Search vendor "Oracle"
Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
18.0.3
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
19.0.2
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2"
-
Affected
Oracle
Search vendor "Oracle"
Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
20.0.1
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "20.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
21.0.1
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "21.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Siebel Ui Framework
Search vendor "Oracle" for product "Siebel Ui Framework"
<= 21.12
Search vendor "Oracle" for product "Siebel Ui Framework" and version " <= 21.12"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
12.2.1.3.0
Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
12.2.1.4.0
Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
14.1.1.0.0
Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"
-
Affected