CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.6 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
apachelog4j
2.0.1 ≤
𝑥
< 2.3.2
apachelog4j
2.4 ≤
𝑥
< 2.12.4
apachelog4j
2.13.0 ≤
𝑥
< 2.17.1
apachelog4j
2.0
apachelog4j
2.0:beta7
apachelog4j
2.0:beta8
apachelog4j
2.0:beta9
apachelog4j
2.0:rc1
apachelog4j
2.0:rc2
oraclecommunications_diameter_signaling_router
8.0.0.0 ≤
𝑥
≤ 8.5.1.0
oraclecommunications_interactive_session_recorder
6.3
oraclecommunications_interactive_session_recorder
6.4
oracleprimavera_gateway
17.12.0 ≤
𝑥
≤ 17.12.11
oracleprimavera_gateway
18.8.0 ≤
𝑥
≤ 18.8.13
oracleprimavera_gateway
19.12.0 ≤
𝑥
≤ 19.12.12
oracleprimavera_gateway
20.12.0 ≤
𝑥
≤ 20.12.7
oracleprimavera_gateway
21.12.0
oracleprimavera_p6_enterprise_project_portfolio_management
19.12.0 ≤
𝑥
≤ 19.12.18.0
oracleprimavera_p6_enterprise_project_portfolio_management
20.12.0.0 ≤
𝑥
≤ 20.12.12.0
oracleprimavera_p6_enterprise_project_portfolio_management
21.12.0.0
oracleprimavera_unifier
18.8
oracleprimavera_unifier
19.12
oracleprimavera_unifier
20.12
oracleprimavera_unifier
21.12
oracleretail_assortment_planning
16.0.3
oracleretail_fiscal_management
14.2
oraclesiebel_ui_framework
21.12
oracleweblogic_server
12.2.1.3.0
oracleweblogic_server
12.2.1.4.0
oracleweblogic_server
14.1.1.0.0
ciscocloudcenter
4.10.0.16
debiandebian_linux
9.0
oraclecommunications_brm_-_elastic_charging_engine
𝑥
< 12.0.0.4.6
oraclecommunications_brm_-_elastic_charging_engine
12.0.0.5.0
oraclecommunications_diameter_signaling_router
8.3.0.0 ≤
𝑥
≤ 8.5.1.0
oraclecommunications_interactive_session_recorder
6.3
oraclecommunications_interactive_session_recorder
6.4
oraclecommunications_offline_mediation_controller
𝑥
< 12.0.0.4.4
oraclecommunications_offline_mediation_controller
12.0.0.5.0
oracleflexcube_private_banking
12.1.0
oraclehealth_sciences_data_management_workbench
2.5.2.1
oraclehealth_sciences_data_management_workbench
3.0.0.0
oraclehealth_sciences_data_management_workbench
3.1.0.3
oraclepolicy_automation
12.2.0 ≤
𝑥
≤ 12.2.24
oraclepolicy_automation_for_mobile_devices
12.2.0 ≤
𝑥
≤ 12.2.24
oracleprimavera_gateway
17.12.0 ≤
𝑥
≤ 17.12.11
oracleprimavera_gateway
18.8.0 ≤
𝑥
≤ 18.8.13
oracleprimavera_gateway
19.12.0 ≤
𝑥
≤ 19.12.12
oracleprimavera_gateway
20.12.0 ≤
𝑥
≤ 20.12.7
oracleprimavera_gateway
21.12.0
oracleprimavera_p6_enterprise_project_portfolio_management
19.12.0.0 ≤
𝑥
≤ 19.12.18.0
oracleprimavera_p6_enterprise_project_portfolio_management
20.12.0.0 ≤
𝑥
≤ 20.12.12.0
oracleprimavera_p6_enterprise_project_portfolio_management
21.12.0.0
oracleprimavera_unifier
18.8
oracleprimavera_unifier
19.12
oracleprimavera_unifier
20.12
oracleprimavera_unifier
21.12
oracleproduct_lifecycle_analytics
3.6.1
oracleretail_order_broker
18.0
oracleretail_order_broker
19.1
oracleretail_xstore_point_of_service
17.0.4
oracleretail_xstore_point_of_service
18.0.3
oracleretail_xstore_point_of_service
19.0.2
oracleretail_xstore_point_of_service
20.0.1
oracleretail_xstore_point_of_service
21.0.1
oraclesiebel_ui_framework
𝑥
≤ 21.12
oracleweblogic_server
12.2.1.3.0
oracleweblogic_server
12.2.1.4.0
oracleweblogic_server
14.1.1.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apache-log4j2
bullseye
2.17.1-1~deb11u1
fixed
bullseye (security)
vulnerable
sid
2.19.0-2
fixed
trixie
2.19.0-2
fixed
bookworm
2.19.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apache-log4j2
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
not-affected
jammy
not-affected
impish
Fixed 2.17.1-0.21.10.1
released
hirsute
Fixed 2.17.1-0.21.04.1
released
focal
Fixed 2.17.1-0.20.04.1
released
bionic
Fixed 2.12.4-0ubuntu0.1
released
xenial
needed
trusty
dne
References