CVE-2021-44832: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when…

medium6.6CVSS 3.1

AVNACHPRHUINSUCHIHAH

ITW

Exploited in the wild

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Affected

76 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	log4j	—	—
apache	log4j	>= 2.0.1 < 2.3.2	2.3.2
apache	log4j	>= 2.13.0 < 2.17.1	2.17.1
apache	log4j	>= 2.4 < 2.12.4	2.12.4
apache	logging	—	—
apache	tika	—	—
apache_software_foundation	apache_log4j2	>= log4j-core < 2.17.1	2.17.1
cisco	cloudcenter	—	—
debian	apache-log4j2	< apache-log4j2 2.17.1-1 (bookworm)	apache-log4j2 2.17.1-1 (bookworm)
debian	debian_linux	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
oracle	communications_brm_elastic_charging_engine	< 12.0.0.4.6	12.0.0.4.6
oracle	communications_brm_elastic_charging_engine	—	—
oracle	communications_diameter_signaling_router	8.0.0.0 – 8.5.1.0	—
oracle	communications_diameter_signaling_router	8.3.0.0 – 8.5.1.0	—
oracle	communications_interactive_session_recorder	—	—
oracle	communications_interactive_session_recorder	—	—
oracle	communications_offline_mediation_controller	< 12.0.0.4.4	12.0.0.4.4
oracle	communications_offline_mediation_controller	—	—
oracle	flexcube_private_banking	—	—
oracle	health_sciences_data_management_workbench	—	—
oracle	health_sciences_data_management_workbench	—	—
oracle	health_sciences_data_management_workbench	—	—
oracle	policy_automation	12.2.0 – 12.2.24	—

CVSS provenance

nvdv3.16.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

ghsa10.0CRITICAL

osv10.0CRITICAL

vulncheck6.6MEDIUM