CVE-2021-44228

Warning

Exploit

EPSS 94.36%
Published 10.12.2021 10:15:09
Last modified 08.08.2025 18:52:00
Source security@apache.org
Teams watchlist Login
Open Login

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Affected products Warnungen 2 Metrics 4 CWE 4 References 54

Data is provided by the National Vulnerability Database (NVD)

Siemens ≫ 6bk1602-0aa12-0tp0 Firmware Version < 2.7.0

Siemens ≫ 6bk1602-0aa12-0tp0 Version-

Siemens ≫ 6bk1602-0aa22-0tp0 Firmware Version < 2.7.0

Siemens ≫ 6bk1602-0aa22-0tp0 Version-

Siemens ≫ 6bk1602-0aa32-0tp0 Firmware Version < 2.7.0

Siemens ≫ 6bk1602-0aa32-0tp0 Version-

Siemens ≫ 6bk1602-0aa42-0tp0 Firmware Version < 2.7.0

Siemens ≫ 6bk1602-0aa42-0tp0 Version-

Siemens ≫ 6bk1602-0aa52-0tp0 Firmware Version < 2.7.0

Siemens ≫ 6bk1602-0aa52-0tp0 Version-

Apache ≫ Log4j Version >= 2.0.1 < 2.3.1

Apache ≫ Log4j Version >= 2.4.0 < 2.12.2

Apache ≫ Log4j Version >= 2.13.0 < 2.15.0

Apache ≫ Log4j Version2.0 Update-

Apache ≫ Log4j Version2.0 Updatebeta9

Apache ≫ Log4j Version2.0 Updaterc1

Apache ≫ Log4j Version2.0 Updaterc2

Siemens ≫ Sppa-t3000 Ses3000 Firmware

Siemens ≫ Sppa-t3000 Ses3000 Version-

Siemens ≫ Capital Version < 2019.1

Siemens ≫ Capital Version2019.1 Update-

Siemens ≫ Capital Version2019.1 Updatesp1912

Siemens ≫ Comos Version < 10.4.2

Siemens ≫ Desigo Cc Advanced Reports Version3.0

Siemens ≫ Desigo Cc Advanced Reports Version4.0

Siemens ≫ Desigo Cc Advanced Reports Version4.1

Siemens ≫ Desigo Cc Advanced Reports Version4.2

Siemens ≫ Desigo Cc Advanced Reports Version5.0

Siemens ≫ Desigo Cc Advanced Reports Version5.1

Siemens ≫ Desigo Cc Info Center Version5.0

Siemens ≫ Desigo Cc Info Center Version5.1

Siemens ≫ E-car Operation Center Version < 2021-12-13

Siemens ≫ Energy Engage Version3.1

Siemens ≫ Energyip Version8.5

Siemens ≫ Energyip Version8.6

Siemens ≫ Energyip Version8.7

Siemens ≫ Energyip Version9.0

Siemens ≫ Energyip Prepay Version < 3.8.0.12

Siemens ≫ Gma-manager Version < 8.6.2j-398

Siemens ≫ Head-end System Universal Device Integration System

Siemens ≫ Industrial Edge Management

Siemens ≫ Industrial Edge Management Hub Version < 2021-12-13

Siemens ≫ Mendix

Siemens ≫ Mindsphere Version < 2021-12-16

Siemens ≫ Navigator Version < 2021-12-13

Siemens ≫ Nx

Siemens ≫ Opcenter Intelligence Version >= 3.2 < 3.5

Siemens ≫ Operation Scheduler Version <= 1.1.3

Siemens ≫ Sentron Powermanager Version4.1

Siemens ≫ Sentron Powermanager Version4.2

Siemens ≫ Siguard Dsa Version >= 4.2 < 4.4.1

Siemens ≫ Sipass Integrated Version2.80

Siemens ≫ Sipass Integrated Version2.85

Siemens ≫ Siveillance Command Version <= 4.16.2.1

Siemens ≫ Siveillance Control Pro

Siemens ≫ Siveillance Identity Version1.5

Siemens ≫ Siveillance Identity Version1.6

Siemens ≫ Siveillance Vantage

Siemens ≫ Siveillance Viewpoint

Siemens ≫ Solid Edge Cam Pro

Siemens ≫ Solid Edge Harness Design Version < 2020

Siemens ≫ Solid Edge Harness Design Version2020

Siemens ≫ Solid Edge Harness Design Version2020 Update-

Siemens ≫ Solid Edge Harness Design Version2020 Updatesp2002

Siemens ≫ Spectrum Power 4 Version < 4.70

Siemens ≫ Spectrum Power 4 Version4.70 Update-

Siemens ≫ Spectrum Power 4 Version4.70 Updatesp7

Siemens ≫ Spectrum Power 4 Version4.70 Updatesp8

Siemens ≫ Spectrum Power 7 Version < 2.30

Siemens ≫ Spectrum Power 7 Version2.30

Siemens ≫ Spectrum Power 7 Version2.30 Update-

Siemens ≫ Spectrum Power 7 Version2.30 Updatesp2

Siemens ≫ Teamcenter

Siemens ≫ Vesys Version < 2019.1

Siemens ≫ Vesys Version2019.1

Siemens ≫ Vesys Version2019.1 Update-

Siemens ≫ Vesys Version2019.1 Updatesp1912

Siemens ≫ Vesys Version2020.1 Update-

Siemens ≫ Vesys Version2021.1 Update-

Siemens ≫ Xpedition Enterprise Version-

Siemens ≫ Xpedition Package Integrator Version-

Intel ≫ Computer Vision Annotation Tool Version-

Intel ≫ Datacenter Manager Version < 5.1

Intel ≫ Genomics Kernel Library Version-

Intel ≫ Oneapi Sample Browser Version- SwPlatformeclipse

Intel ≫ Secure Device Onboard Version-

Intel ≫ System Studio Version-

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Sonicwall ≫ Email Security Version < 10.0.13

Netapp ≫ Active Iq Unified Manager Version- SwPlatformlinux

Netapp ≫ Active Iq Unified Manager Version- SwPlatformvmware_vsphere

Netapp ≫ Active Iq Unified Manager Version- SwPlatformwindows

Netapp ≫ Brocade San Navigator Version-

Netapp ≫ Cloud Insights Version-

Netapp ≫ Cloud Manager Version-

Netapp ≫ Cloud Secure Agent Version-

Netapp ≫ Oncommand Insight Version-

Netapp ≫ Ontap Tools Version- SwPlatformvmware_vsphere

Netapp ≫ Snapcenter Version- SwPlatformvmware_vsphere

Netapp ≫ Solidfire Enterprise Sds Version-

Cisco ≫ Advanced Malware Protection Virtual Private Cloud Appliance Version < 3.5.4

Cisco ≫ Automated Subsea Tuning Version < 2.1.0

Cisco ≫ Broadworks Version < 2021.11_1.162

Cisco ≫ Business Process Automation Version < 3.0.000.115

Cisco ≫ Business Process Automation Version >= 3.1.000.000 < 3.1.000.044

Cisco ≫ Business Process Automation Version >= 3.2.000.000 < 3.2.000.009

Cisco ≫ Cloud Connect Version < 12.6\(1\)

Cisco ≫ Cloudcenter Version < 4.10.0.16

Cisco ≫ Cloudcenter Cost Optimizer Version < 5.5.2

Cisco ≫ Cloudcenter Suite Admin Version < 5.3.1

Cisco ≫ Cloudcenter Workload Manager Version < 5.5.2

Cisco ≫ Common Services Platform Collector Version < 2.9.1.3

Cisco ≫ Common Services Platform Collector Version >= 2.10.0 < 2.10.0.1

Cisco ≫ Connected Mobile Experiences Version-

Cisco ≫ Contact Center Domain Manager Version < 12.5\(1\)

Cisco ≫ Contact Center Management Portal Version < 12.5\(1\)

Cisco ≫ Crosswork Data Gateway Version < 2.0.2

Cisco ≫ Crosswork Data Gateway Version3.0.0

Cisco ≫ Crosswork Network Controller Version < 2.0.1

Cisco ≫ Crosswork Network Controller Version3.0.0

Cisco ≫ Crosswork Optimization Engine Version < 2.0.1

Cisco ≫ Crosswork Optimization Engine Version3.0.0

Cisco ≫ Crosswork Platform Infrastructure Version < 4.0.1

Cisco ≫ Crosswork Platform Infrastructure Version4.1.0

Cisco ≫ Crosswork Zero Touch Provisioning Version < 2.0.1

Cisco ≫ Crosswork Zero Touch Provisioning Version3.0.0

Cisco ≫ Customer Experience Cloud Agent Version < 1.12.1

Cisco ≫ Cyber Vision Sensor Management Extension Version < 4.0.3

Cisco ≫ Data Center Network Manager Version < 11.3\(1\)

Cisco ≫ Dna Center Version < 2.1.2.8

Cisco ≫ Dna Center Version >= 2.2.2.0 < 2.2.2.8

Cisco ≫ Dna Center Version >= 2.2.3.0 < 2.2.3.4

Cisco ≫ Emergency Responder Version < 11.5\(4\)

Cisco ≫ Enterprise Chat And Email Version < 12.0\(1\)

Cisco ≫ Evolved Programmable Network Manager Version <= 4.1.1

Cisco ≫ Finesse Version < 12.6\(1\)

Cisco ≫ Fog Director Version-

Cisco ≫ Identity Services Engine Version < 2.4.0

Cisco ≫ Identity Services Engine Version2.4.0 Update-

Cisco ≫ Integrated Management Controller Supervisor Version < 2.3.2.1

Cisco ≫ Intersight Virtual Appliance Version < 1.0.9-361

Cisco ≫ Iot Operations Dashboard Version-

Cisco ≫ Network Assurance Engine Version < 6.0.2

Cisco ≫ Network Services Orchestrator Version < 5.3.5.1

Cisco ≫ Network Services Orchestrator Version >= 5.4 < 5.4.5.2

Cisco ≫ Network Services Orchestrator Version >= 5.5 < 5.5.4.1

Cisco ≫ Network Services Orchestrator Version >= 5.6 < 5.6.3.1

Cisco ≫ Nexus Dashboard Version < 2.1.2

Cisco ≫ Nexus Insights Version < 6.0.2

Cisco ≫ Optical Network Controller Version < 1.1.0

Cisco ≫ Packaged Contact Center Enterprise Version < 11.6

Cisco ≫ Paging Server Version < 14.4.1

Cisco ≫ Prime Service Catalog Version < 12.1

Cisco ≫ Sd-wan Vmanage Version < 20.3.4.1

Cisco ≫ Sd-wan Vmanage Version >= 20.4 < 20.4.2.1

Cisco ≫ Sd-wan Vmanage Version >= 20.5 < 20.5.1.1

Cisco ≫ Sd-wan Vmanage Version >= 20.6 < 20.6.2.1

Cisco ≫ Smart Phy Version < 3.2.1

Cisco ≫ Ucs Central Version < 2.0\(1p\)

Cisco ≫ Ucs Director Version < 6.8.2.0

Cisco ≫ Unified Communications Manager SwEdition- Version < 11.5\(1\)

Cisco ≫ Unified Communications Manager SwEditionsession_management Version < 11.5\(1\)

Cisco ≫ Unified Communications Manager Im And Presence Service Version < 11.5\(1\)

Cisco ≫ Unified Contact Center Enterprise Version < 11.6\(2\)

Cisco ≫ Unified Contact Center Express Version < 12.5\(1\)

Cisco ≫ Unified Customer Voice Portal Version < 11.6

Cisco ≫ Unified Customer Voice Portal Version11.6

Cisco ≫ Unified Customer Voice Portal Version12.0

Cisco ≫ Unified Customer Voice Portal Version12.5

Cisco ≫ Unified Intelligence Center Version < 12.6\(1\)

Cisco ≫ Unity Connection Version < 11.5\(1\)

Cisco ≫ Video Surveillance Operations Manager Version < 7.14.4

Cisco ≫ Virtual Topology System Version < 2.6.7

Cisco ≫ Virtualized Infrastructure Manager Version < 3.2.0

Cisco ≫ Virtualized Infrastructure Manager Version >= 3.4.0 < 3.4.4

Cisco ≫ Virtualized Voice Browser Version < 12.5\(1\)

Cisco ≫ Wan Automation Engine Version < 7.3.0.2

Cisco ≫ Webex Meetings Server Version < 3.0

Cisco ≫ Webex Meetings Server Version3.0 Update-

Cisco ≫ Webex Meetings Server Version3.0 Updatemaintenance_release1

Cisco ≫ Webex Meetings Server Version3.0 Updatemaintenance_release2

Cisco ≫ Webex Meetings Server Version3.0 Updatemaintenance_release3

Cisco ≫ Webex Meetings Server Version3.0 Updatemaintenance_release3 Edition-

Cisco ≫ Webex Meetings Server Version3.0 Updatemaintenance_release3_security_patch4

Cisco ≫ Webex Meetings Server Version3.0 Updatemaintenance_release3_security_patch5

Cisco ≫ Webex Meetings Server Version3.0 Updatemaintenance_release3_service_pack_2

Cisco ≫ Webex Meetings Server Version3.0 Updatemaintenance_release3_service_pack_3

Cisco ≫ Webex Meetings Server Version3.0 Updatemaintenance_release4

Cisco ≫ Webex Meetings Server Version4.0 Update-

Cisco ≫ Webex Meetings Server Version4.0 Updatemaintenance_release1

Cisco ≫ Webex Meetings Server Version4.0 Updatemaintenance_release2

Cisco ≫ Webex Meetings Server Version4.0 Updatemaintenance_release3

Cisco ≫ Workload Optimization Manager Version < 3.2.1

Cisco ≫ Unified Sip Proxy Version < 10.2.1v2

Cisco ≫ Unified Workforce Optimization Version < 11.5\(1\)

Cisco ≫ Fxos Version6.2.3

   Cisco ≫ Firepower 1010 Version-
   Cisco ≫ Firepower 1120 Version-
   Cisco ≫ Firepower 1140 Version-
   Cisco ≫ Firepower 1150 Version-
   Cisco ≫ Firepower 2110 Version-
   Cisco ≫ Firepower 2120 Version-
   Cisco ≫ Firepower 2130 Version-
   Cisco ≫ Firepower 2140 Version-
   Cisco ≫ Firepower 4110 Version-
   Cisco ≫ Firepower 4112 Version-
   Cisco ≫ Firepower 4115 Version-
   Cisco ≫ Firepower 4120 Version-
   Cisco ≫ Firepower 4125 Version-
   Cisco ≫ Firepower 4140 Version-
   Cisco ≫ Firepower 4145 Version-
   Cisco ≫ Firepower 4150 Version-
   Cisco ≫ Firepower 9300 Version-

Cisco ≫ Fxos Version6.3.0

Cisco ≫ Fxos Version6.4.0

Cisco ≫ Fxos Version6.5.0

Cisco ≫ Fxos Version6.6.0

Cisco ≫ Fxos Version6.7.0

Cisco ≫ Fxos Version7.0.0

Cisco ≫ Fxos Version7.1.0

Cisco ≫ Automated Subsea Tuning Version02.01.00

Cisco ≫ Broadworks Version-

Cisco ≫ Connected Analytics For Network Deployment Version006.004.000.003

Cisco ≫ Connected Analytics For Network Deployment Version006.005.000.

Cisco ≫ Connected Analytics For Network Deployment Version006.005.000.000

Cisco ≫ Connected Analytics For Network Deployment Version007.000.001

Cisco ≫ Connected Analytics For Network Deployment Version007.001.000

Cisco ≫ Connected Analytics For Network Deployment Version007.002.000

Cisco ≫ Connected Analytics For Network Deployment Version7.3

Cisco ≫ Connected Analytics For Network Deployment Version007.003.000

Cisco ≫ Connected Analytics For Network Deployment Version007.003.001.001

Cisco ≫ Connected Analytics For Network Deployment Version007.003.003

Cisco ≫ Connected Analytics For Network Deployment Version008.000.000

Cisco ≫ Connected Analytics For Network Deployment Version008.000.000.000.004

Cisco ≫ Crosswork Network Automation Version-

Cisco ≫ Crosswork Network Automation Version2.0.0

Cisco ≫ Crosswork Network Automation Version3.0.0

Cisco ≫ Crosswork Network Automation Version4.1.0

Cisco ≫ Crosswork Network Automation Version4.1.1

Cisco ≫ Cx Cloud Agent Version001.012

Cisco ≫ Cyber Vision Version4.0.2

Cisco ≫ Cyber Vision Sensor Management Extension Version4.0.2

Cisco ≫ Dna Center Version2.2.2.8

Cisco ≫ Dna Spaces Version-

Cisco ≫ Dna Spaces Connector Version-

Cisco ≫ Emergency Responder Version11.5

Cisco ≫ Evolved Programmable Network Manager Version3.0

Cisco ≫ Evolved Programmable Network Manager Version3.1

Cisco ≫ Evolved Programmable Network Manager Version4.0

Cisco ≫ Evolved Programmable Network Manager Version4.1

Cisco ≫ Evolved Programmable Network Manager Version5.0

Cisco ≫ Evolved Programmable Network Manager Version5.1

Cisco ≫ Firepower Threat Defense Version6.2.3

Cisco ≫ Firepower Threat Defense Version6.3.0

Cisco ≫ Firepower Threat Defense Version6.4.0

Cisco ≫ Firepower Threat Defense Version6.5.0

Cisco ≫ Firepower Threat Defense Version6.6.0

Cisco ≫ Firepower Threat Defense Version6.7.0

Cisco ≫ Firepower Threat Defense Version7.0.0

Cisco ≫ Firepower Threat Defense Version7.1.0

Cisco ≫ Integrated Management Controller Supervisor Version2.3.2.0

Cisco ≫ Intersight Virtual Appliance Version1.0.9-343

Cisco ≫ Mobility Services Engine Version-

Cisco ≫ Network Services Orchestrator Version-

Cisco ≫ Optical Network Controller Version1.1

Cisco ≫ Prime Service Catalog Version12.1

Cisco ≫ Sd-wan Vmanage Version20.3

Cisco ≫ Sd-wan Vmanage Version20.4

Cisco ≫ Sd-wan Vmanage Version20.5

Cisco ≫ Sd-wan Vmanage Version20.6

Cisco ≫ Sd-wan Vmanage Version20.6.1

Cisco ≫ Sd-wan Vmanage Version20.7

Cisco ≫ Sd-wan Vmanage Version20.8

Cisco ≫ Smart Phy Version3.1.2

Cisco ≫ Smart Phy Version3.1.3

Cisco ≫ Smart Phy Version3.1.4

Cisco ≫ Smart Phy Version3.1.5

Cisco ≫ Smart Phy Version3.2.1

Cisco ≫ Smart Phy Version21.3

Cisco ≫ Ucs Central Software Version2.0

Cisco ≫ Unity Connection Version11.5

Cisco ≫ Virtual Topology System Version2.6.6

Cisco ≫ Wan Automation Engine Version7.1.3

Cisco ≫ Wan Automation Engine Version7.2.1

Cisco ≫ Wan Automation Engine Version7.2.2

Cisco ≫ Wan Automation Engine Version7.2.3

Cisco ≫ Wan Automation Engine Version7.3

Cisco ≫ Wan Automation Engine Version7.4

Cisco ≫ Wan Automation Engine Version7.5

Cisco ≫ Wan Automation Engine Version7.6

Cisco ≫ Webex Meetings Server Version3.0

Cisco ≫ Webex Meetings Server Version4.0

Snowsoftware ≫ Snow Commander Version < 8.10.0

Snowsoftware ≫ Vm Access Proxy Version < 3.6

Bentley ≫ Synchro SwEditionpro Version >= 6.1 < 6.2.4.2

Bentley ≫ Synchro 4d SwEditionpro Version < 6.4.3.2

Percussion ≫ Rhythmyx Version <= 7.3.2

Apple ≫ XCode Version < 13.3

10.12.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Log4j2 Remote Code Execution Vulnerability

Vulnerability

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Description

For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.

Required actions

10.12.2021: CERT.at Warnung

https://www.cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-apache-log4j-bibliothek

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.36%	1

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

http://seclists.org/fulldisclosure/2022/Mar/23

Third Party Advisory

Mailing List

https://support.apple.com/kb/HT213189

Third Party Advisory

https://www.debian.org/security/2021/dsa-5020