⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2021-44832

CWE-20Improper Input ValidationCWE-74CWE-502Deserialization of Untrusted DataCWE-674Uncontrolled Recursion31 documents17 sources
Severity
6.6MEDIUM
EPSS
50.6%
top 2.15%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
23
Apache Software Foundation Apache Log4j2Apache Log4jOracle Communications BRM - Elastic Charging Engine+20 more
Timeline
PublishedDec 28
Latest updateApr 15

Description

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages24 packages

CVEListV5apache_software_foundation/apache_log4j2log4j-core2.17.1
Debianapache-log4j2< 2.17.1-1~deb11u1+3
Ubuntuapache-log4j2< 2.12.4-0ubuntu0.1+1
NVDoracle/health_sciences_data_management_workbench2.5.2.1, 3.0.0.0, 3.1.0.3+2

Also affects: Debian Linux 9.0, Fedora 34, 35

Patches

Patch: issues.apache.orgPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

6
OSV
apache-log4j2 vulnerabilities2022-01-11
OSV
Improper Input Validation and Injection in Apache Log4j22022-01-04
GHSA
Improper Input Validation and Injection in Apache Log4j22022-01-04
CVEList
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration2021-12-28
OSV
CVE-2021-44832: Apache Log4j2 versions 22021-12-28

📋Vendor Advisories

12
Oracle
Oracle Oracle Retail Applications Risk Matrix: Security (Apache Log4j) — CVE-2021-448322023-04-15
Oracle
Oracle Oracle Food and Beverage Applications Risk Matrix: Reporting (Apache Log4j) — CVE-2021-448322023-01-15
Oracle
Oracle Oracle Essbase Risk Matrix: Essbase Web Platform (Apache Log4j) — CVE-2021-448322022-10-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Charging Server (Apache Log4j) — CVE-2021-448322022-07-15
Oracle
Oracle Oracle SQL Developer Risk Matrix: Installation (Apache Log4j) — CVE-2021-448322022-04-15

🕵️Threat Intelligence

7
Sentinelone
Log4j One Month On | Crimeware and Exploitation Roundup2022-01-10
Sentinelone
Log4j One Month On | Crimeware and Exploitation Roundup2022-01-10
Wiz
Log4Shell: Wrap all your Log4j fixes before the holidays | Wiz Blog2021-12-21
Wiz
Log4Shell: Wrap all your Log4j fixes before the holidays | Wiz Blog2021-12-21
Qualys
Is Your Web Application Exploitable By Log4Shell Vulnerability?2021-12-15
CVE-2021-44832 (MEDIUM CVSS 6.6) | Apache Log4j2 versions 2.0-beta7 th | cvebase.io