CVE - CVE-2021-44832

CVE-ID
CVE-2021-44832	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CISCO:20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021 URL:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd CONFIRM:https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf URL:https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf CONFIRM:https://security.netapp.com/advisory/ntap-20220104-0001/ URL:https://security.netapp.com/advisory/ntap-20220104-0001/ FEDORA:FEDORA-2021-1bd9151bab URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/ FEDORA:FEDORA-2021-c6f471ce0f URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/ MISC:https://issues.apache.org/jira/browse/LOG4J2-3293 URL:https://issues.apache.org/jira/browse/LOG4J2-3293 MISC:https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143 URL:https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143 MISC:https://www.oracle.com/security-alerts/cpuapr2022.html URL:https://www.oracle.com/security-alerts/cpuapr2022.html MISC:https://www.oracle.com/security-alerts/cpujan2022.html URL:https://www.oracle.com/security-alerts/cpujan2022.html MISC:https://www.oracle.com/security-alerts/cpujul2022.html URL:https://www.oracle.com/security-alerts/cpujul2022.html MLIST:[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update URL:https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html MLIST:[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration URL:http://www.openwall.com/lists/oss-security/2021/12/28/1
Assigning CNA
Apache Software Foundation
Date Record Created
20211211	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20211211)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)