CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

CVSS v3 6.6 MEDIUM
CVSS v2.0 8.5 HIGH

6.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

8.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:S/C:C/I:C/A:C

Exploitability : 6.8 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2021/12/28/1	Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf	Third Party Advisory
https://issues.apache.org/jira/browse/LOG4J2-3293	Issue Tracking Patch Vendor Advisory
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
https://security.netapp.com/advisory/ntap-20220104-0001/	Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/28/1	Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf	Third Party Advisory
https://issues.apache.org/jira/browse/LOG4J2-3293	Issue Tracking Patch Vendor Advisory
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
https://security.netapp.com/advisory/ntap-20220104-0001/	Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:log4j::::::::
	cpe:2.3:a:apache:log4j::::::::
	cpe:2.3:a:apache:log4j::::::::
	cpe:2.3:a:apache:log4j:2.0:-::::::
	cpe:2.3:a:apache:log4j:2.0:beta7::::::
	cpe:2.3:a:apache:log4j:2.0:beta8::::::
	cpe:2.3:a:apache:log4j:2.0:beta9::::::
	cpe:2.3:a:apache:log4j:2.0:rc1::::::
	cpe:2.3:a:apache:log4j:2.0:rc2::::::

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
	cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:::::::*
	cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:::::::*
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway:21.12.0:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:::::::*
	cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:21.12:::::::*
	cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:::::::*
	cpe:2.3:a:oracle:retail_fiscal_management:14.2:::::::*
	cpe:2.3:a:oracle:siebel_ui_framework:21.12:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

Configuration 3 (hide)

cpe:2.3:a:cisco:cloudcenter:4.10.0.16:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 5 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 6 (hide)

OR	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine::::::::
	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:::::::*
	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
	cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:::::::*
	cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:::::::*
	cpe:2.3:a:oracle:communications_offline_mediation_controller::::::::
	cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:::::::*
	cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:::::::*
	cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:::::::*
	cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:::::::*
	cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.1.0.3:::::::*
	cpe:2.3:a:oracle:policy_automation::::::::
	cpe:2.3:a:oracle:policy_automation_for_mobile_devices::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway:21.12.0:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:::::::*
	cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:21.12:::::::*
	cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:::::::*
	cpe:2.3:a:oracle:retail_order_broker:18.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:19.1:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.1:::::::*
	cpe:2.3:a:oracle:siebel_ui_framework::::::::
	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

History

21 Nov 2024, 06:31

Type	Values Removed	Values Added
References	~~() http://www.openwall.com/lists/oss-security/2021/12/28/1 - Mailing List, Third Party Advisory~~	() http://www.openwall.com/lists/oss-security/2021/12/28/1 - Mailing List, Third Party Advisory
References	~~() https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf - Third Party Advisory~~	() https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf - Third Party Advisory
References	~~() https://issues.apache.org/jira/browse/LOG4J2-3293 - Issue Tracking, Patch, Vendor Advisory~~	() https://issues.apache.org/jira/browse/LOG4J2-3293 - Issue Tracking, Patch, Vendor Advisory
References	~~() https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143 - Mailing List, Vendor Advisory~~	() https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143 - Mailing List, Vendor Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html - Mailing List, Third Party Advisory~~	() https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html - Mailing List, Third Party Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/ -
References	~~() https://security.netapp.com/advisory/ntap-20220104-0001/ - Third Party Advisory~~	() https://security.netapp.com/advisory/ntap-20220104-0001/ - Third Party Advisory
References	~~() https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd - Third Party Advisory~~	() https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd - Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory

07 Nov 2023, 03:39

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/', 'name': 'FEDORA-2021-c6f471ce0f', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/', 'name': 'FEDORA-2021-1bd9151bab', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/ -

Information

Published : 2021-12-28 20:15

Updated : 2024-11-21 06:31

NVD link : CVE-2021-44832

Mitre link : CVE-2021-44832

CVE.ORG link : CVE-2021-44832

JSON object : View

Products Affected

debian

debian_linux

oracle

communications_offline_mediation_controller
communications_brm_-_elastic_charging_engine
siebel_ui_framework
health_sciences_data_management_workbench
retail_assortment_planning
retail_xstore_point_of_service
communications_diameter_signaling_router
retail_fiscal_management
flexcube_private_banking
communications_interactive_session_recorder
product_lifecycle_analytics
retail_order_broker
policy_automation_for_mobile_devices
weblogic_server
primavera_unifier
primavera_gateway
policy_automation
primavera_p6_enterprise_project_portfolio_management

fedoraproject

fedora

cisco

cloudcenter

apache

log4j

CWE

CWE-20

Improper Input Validation

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

6.6 /10