CVE-2021-44832

Summary

CVE	CVE-2021-44832
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-12-28 20:15:00 UTC
Updated	2023-11-07 03:39:00 UTC
Description	Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Risk And Classification

Problem Types: CWE-20

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Log4j	All	All	All	All
Application	Apache	Log4j	2.0	-	All	All
Application	Apache	Log4j	2.0	beta7	All	All
Application	Apache	Log4j	2.0	beta8	All	All
Application	Apache	Log4j	2.0	beta9	All	All
Application	Apache	Log4j	2.0	rc1	All	All
Application	Apache	Log4j	2.0	rc2	All	All
Application	Cisco	Cloudcenter	4.10.0.16	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Application	Oracle	Communications Brm - Elastic Charging Engine	All	All	All	All
Application	Oracle	Communications Brm - Elastic Charging Engine	12.0.0.5.0	All	All	All
Application	Oracle	Communications Diameter Signaling Router	All	All	All	All
Application	Oracle	Communications Interactive Session Recorder	6.3	All	All	All
Application	Oracle	Communications Interactive Session Recorder	6.4	All	All	All
Application	Oracle	Communications Offline Mediation Controller	All	All	All	All
Application	Oracle	Communications Offline Mediation Controller	12.0.0.5.0	All	All	All
Application	Oracle	Flexcube Private Banking	12.1.0	All	All	All
Application	Oracle	Health Sciences Data Management Workbench	2.5.2.1	All	All	All
Application	Oracle	Health Sciences Data Management Workbench	3.0.0.0	All	All	All
Application	Oracle	Health Sciences Data Management Workbench	3.1.0.3	All	All	All
Application	Oracle	Policy Automation	All	All	All	All
Application	Oracle	Policy Automation For Mobile Devices	All	All	All	All
Application	Oracle	Primavera Gateway	21.12.0	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera P6 Enterprise Project Portfolio Management	21.12.0.0	All	All	All
Application	Oracle	Primavera P6 Enterprise Project Portfolio Management	All	All	All	All
Application	Oracle	Primavera P6 Enterprise Project Portfolio Management	All	All	All	All
Application	Oracle	Primavera Unifier	18.8	All	All	All
Application	Oracle	Primavera Unifier	19.12	All	All	All
Application	Oracle	Primavera Unifier	20.12	All	All	All
Application	Oracle	Primavera Unifier	21.12	All	All	All
Application	Oracle	Product Lifecycle Analytics	3.6.1	All	All	All
Application	Oracle	Retail Assortment Planning	16.0.3	All	All	All
Application	Oracle	Retail Fiscal Management	14.2	All	All	All
Application	Oracle	Retail Order Broker	18.0	All	All	All
Application	Oracle	Retail Order Broker	19.1	All	All	All
Application	Oracle	Retail Xstore Point Of Service	17.0.4	All	All	All
Application	Oracle	Retail Xstore Point Of Service	18.0.3	All	All	All
Application	Oracle	Retail Xstore Point Of Service	19.0.2	All	All	All
Application	Oracle	Retail Xstore Point Of Service	20.0.1	All	All	All
Application	Oracle	Retail Xstore Point Of Service	21.0.1	All	All	All
Application	Oracle	Siebel Ui Framework	21.12	All	All	All
Application	Oracle	Siebel Ui Framework	All	All	All	All
Application	Oracle	Weblogic Server	12.2.1.3.0	All	All	All
Application	Oracle	Weblogic Server	12.2.1.4.0	All	All	All
Application	Oracle	Weblogic Server	14.1.1.0.0	All	All	All

References

Reference	Source	Link	Tags
cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf	CONFIRM	cert-portal.siemens.com
[SECURITY] [DLA 2870-1] apache-log4j2 security update	MLIST	lists.debian.org
[SECURITY] Fedora 35 Update: log4j-2.17.1-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
CVE-2021-44832 Apache Log4j Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
[SECURITY] Fedora 35 Update: log4j-2.17.1-1.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 34 Update: log4j-2.17.1-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
[SECURITY] Fedora 34 Update: log4j-2.17.1-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021	CISCO	tools.cisco.com
oss-security - CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration	MLIST	www.openwall.com
[LOG4J2-3293] JDBC Appender should use JNDI Manager and JNDI access should be limited. - ASF JIRA	MISC	issues.apache.org
lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143	MISC	lists.apache.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

178977 Debian Security Update for apache-log4j2 (DLA 2870-1)
180584 Debian Security Update for apache-log4j2 (CVE-2021-44832)
198626 Ubuntu Security Notification for Apache Log4j 2 Vulnerabilities (USN-5222-1)
20252 IBM DB2 Security Update for Log4j (6528672,6549888)
240209 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1296)
240210 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1297)
282215 Fedora Security Update for log4j (FEDORA-2021-1bd9151bab)
282216 Fedora Security Update for log4j (FEDORA-2021-c6f471ce0f)
353129 Amazon Linux Security Advisory for aws-kinesis-agent : ALAS2-2022-1734
354307 Amazon Linux Security Advisory for log4j : ALAS2022-2022-011
354369 Amazon Linux Security Advisory for log4j : ALAS2022-2022-225
354538 Amazon Linux Security Advisory for log4j : ALAS-2022-225
376209 Apache Log4j Remote Code Execution (RCE) Vulnerability (CVE-2021-44832)
376210 Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell) Detected Based on Qualys Log4j scan Utility (CVE-2021-44832)
376425 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (Log4Shell) (Doc_ID_2817011.1)
376473 IBM Spectrum Control Multiple Vulnerabilities (6561029)
376547 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUAPR2022)
691064 Free Berkeley Software Distribution (FreeBSD) Security Update for rundeck3 (27c822a0-addc-11ed-a9ee-dca632b19f10)
730318 Palo Alto Networks (PAN-OS) Log4j Multiple Vulnerabilities (PAN-184592) (Log4Shell)
730362 Neo4j Database Server Affected by Apache Log4j Security Vulnerability
730371 McAfee Web Gateway Multiple Vulnerabilities (WP-3335,WP-4131,WP-4159,WP-4237,WP-4259,WP-4329,WP-4348,WP-4355,WP-4376,WP-4407,WP-4421)
751571 OpenSUSE Security Update for log4j (openSUSE-SU-2021:4208-1)
751576 OpenSUSE Security Update for log4j (openSUSE-SU-2022:0002-1)
87483 Oracle WebLogic Server Multiple Vulnerabilities (Log4Shell) (Doc_ID_2817011.1)