CVE-2021-44832

Description from NVD

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Information Acquisition Date:2022-11-11T00:38Z
CVSS 2.0: 8.5 HIGH CVSS 3.x: 6.6 MEDIUM

▼ CVSS3 Vec CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

▼ CVSS2 Vec AV:N/AC:M/Au:S/C:C/I:C/A:C

NVD References

 https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
     source:MISC
     tags:Mailing List    Vendor Advisory    
 https://issues.apache.org/jira/browse/LOG4J2-3293
     source:MISC
     tags:Issue Tracking    Patch    Vendor Advisory    
 [oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration
     source:MLIST
     tags:Mailing List    Third Party Advisory    
 https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
     source:CONFIRM
     tags:Third Party Advisory    
 [debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update
     source:MLIST
     tags:Mailing List    Third Party Advisory    
 https://security.netapp.com/advisory/ntap-20220104-0001/
     source:CONFIRM
     tags:Third Party Advisory    
 FEDORA-2021-1bd9151bab
     source:FEDORA
     tags:Mailing List    Third Party Advisory    
 FEDORA-2021-c6f471ce0f
     source:FEDORA
     tags:Mailing List    Third Party Advisory    
 20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021
     source:CISCO
     tags:Third Party Advisory    
 https://www.oracle.com/security-alerts/cpujan2022.html
     source:MISC
     tags:Patch    Third Party Advisory    
 https://www.oracle.com/security-alerts/cpuapr2022.html
     source:MISC
     tags:Patch    Third Party Advisory    
 N/A
     source:N/A
     tags:Patch    Third Party Advisory    

Refer to Information on External Sites

CVE InfomationExploits or more Infomation
mitreEXPLOIT DATABASE
NVD0day.today
vulmon.comgithub
CVE DetailsTwitter
JVN ENG JPN
Reconshell

Software Tag: Oracle(15 tweets)

List of frequently cited URLs

URLNum of Times Referred to
https://www.oracle.com/security-alerts/cpujan2022.html54
https://cvetrends.com51
http://twinybots.ch37
https://www.bleepingcomputer.com/news/security/log4j-2171-o...7
https://securityaffairs.co/wordpress/126135/hacking/new-apa...6
https://news.ycombinator.com/item?id=297188456
https://yamory.io5
https://snyk.io/blog/new-log4j-2-17-1-fixes-cve-2021-44832-...4
http://earmas.ga4
https://qiita.com/SnykSec/items/96cf51a9f5dd52d429eb4
https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17...4
https://logging.apache.org/log4j/2.x/security.html4
https://bit.ly/3qDpXro3
https://ift.tt/3eykxIQ3
https://github.com/mergebase/log4j-detector3
https://opsmtrs.com/3yzKsZo3
https://twitter.com/GossiTheDog/status/14759160814831657023
https://www.circl.lu/pub/tr-653
https://blogs.sap.com/2021/12/14/hana-xsa-log4j-cve-2021-442283
https://orca.security/resources/blog/instantly-detect-log4j...3
https://www.snort.org/downloads3
https://www.cibertip.com/vulnerabilidades/cve-2021-44832-la...3
https://access.redhat.com/security/cve/CVE-2021-41783
https://security.sios.com/vulnerability/misc-security-vulne...3
https://greenlock.ghost.io/log4j-ou-log4shell-la-javapocaly...3
https://support.citrix.com/article/CTX3357053
https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-0223

▼ Show Information from Twitter(30)

List of frequently cited URLs

URLNum of Times Referred to
www.oracle.com54
cvetrends.com51
twinybots.ch37
www.bleepingcomputer.com7
securityaffairs.co6
news.ycombinator.com6
yamory.io5
snyk.io4
earmas.ga4
qiita.com4
checkmarx.com4
logging.apache.org4
bit.ly3
ift.tt3
github.com3
opsmtrs.com3
twitter.com3
www.circl.lu3
blogs.sap.com3
orca.security3
www.snort.org3
www.cibertip.com3
access.redhat.com3
security.sios.com3
greenlock.ghost.io3
support.citrix.com3
www.cert.ssi.gouv.fr3

▼ Show Information from Twitter(30)

GitHub Search Results: Up to 10
NameURL
thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832 https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832
cckuailong/log4j_RCE_CVE-2021-44832 https://github.com/cckuailong/log4j_RCE_CVE-2021-44832
logpresso/CVE-2021-44228-Scanner https://github.com/logpresso/CVE-2021-44228-Scanner
name/log4j https://github.com/name/log4j
Qualys/log4jscanwin https://github.com/Qualys/log4jscanwin
andalik/log4j-filescan https://github.com/andalik/log4j-filescan
HynekPetrak/log4shell-finder https://github.com/HynekPetrak/log4shell-finder
yannart/log4shell-scanner-rs https://github.com/yannart/log4shell-scanner-rs
thl-cmk/CVE-log4j-check_mk-plugin https://github.com/thl-cmk/CVE-log4j-check_mk-plugin
GitHub Search Results: Up to 10
NameURL
thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832 github.com
cckuailong/log4j_RCE_CVE-2021-44832 github.com
logpresso/CVE-2021-44228-Scanner github.com
name/log4j github.com
Qualys/log4jscanwin github.com
andalik/log4j-filescan github.com
HynekPetrak/log4shell-finder github.com
yannart/log4shell-scanner-rs github.com
thl-cmk/CVE-log4j-check_mk-plugin github.com
2023/02/14 Score : 0
Added Har-sia Database : 2021/12/29
Last Modified : 2023/02/14
Highest Scored Date : 2021/12/29
Highest Score : 407