CVE-2021-44832

Warning

EPSS 53.59%
Published 28.12.2021 20:15:08
Last modified 21.11.2024 06:31:34
Source security@apache.org
Teams watchlist Login
Open Login

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Affected products Warnungen 1 Metrics 3 CWE 2 References 15

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Log4j Version >= 2.0.1 < 2.3.2

Apache ≫ Log4j Version >= 2.4 < 2.12.4

Apache ≫ Log4j Version >= 2.13.0 < 2.17.1

Apache ≫ Log4j Version2.0 Update-

Apache ≫ Log4j Version2.0 Updatebeta7

Apache ≫ Log4j Version2.0 Updatebeta8

Apache ≫ Log4j Version2.0 Updatebeta9

Apache ≫ Log4j Version2.0 Updaterc1

Apache ≫ Log4j Version2.0 Updaterc2

Oracle ≫ Communications Diameter Signaling Router Version >= 8.0.0.0 <= 8.5.1.0

Oracle ≫ Communications Interactive Session Recorder Version6.3

Oracle ≫ Communications Interactive Session Recorder Version6.4

Oracle ≫ Primavera Gateway Version >= 17.12.0 <= 17.12.11

Oracle ≫ Primavera Gateway Version >= 18.8.0 <= 18.8.13

Oracle ≫ Primavera Gateway Version >= 19.12.0 <= 19.12.12

Oracle ≫ Primavera Gateway Version >= 20.12.0 <= 20.12.7

Oracle ≫ Primavera Gateway Version21.12.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 19.12.0 <= 19.12.18.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 20.12.0.0 <= 20.12.12.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version21.12.0.0

Oracle ≫ Primavera Unifier Version18.8

Oracle ≫ Primavera Unifier Version19.12

Oracle ≫ Primavera Unifier Version20.12

Oracle ≫ Primavera Unifier Version21.12

Oracle ≫ Retail Assortment Planning Version16.0.3

Oracle ≫ Retail Fiscal Management Version14.2

Oracle ≫ Siebel Ui Framework Version21.12

Oracle ≫ Weblogic Server Version12.2.1.3.0

Oracle ≫ Weblogic Server Version12.2.1.4.0

Oracle ≫ Weblogic Server Version14.1.1.0.0

Cisco ≫ Cloudcenter Version4.10.0.16

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Debian ≫ Debian Linux Version9.0

Oracle ≫ Communications Brm - Elastic Charging Engine Version < 12.0.0.4.6

Oracle ≫ Communications Brm - Elastic Charging Engine Version12.0.0.5.0

Oracle ≫ Communications Diameter Signaling Router Version >= 8.3.0.0 <= 8.5.1.0

Oracle ≫ Communications Interactive Session Recorder Version6.3

Oracle ≫ Communications Interactive Session Recorder Version6.4

Oracle ≫ Communications Offline Mediation Controller Version < 12.0.0.4.4

Oracle ≫ Communications Offline Mediation Controller Version12.0.0.5.0

Oracle ≫ Flexcube Private Banking Version12.1.0

Oracle ≫ Health Sciences Data Management Workbench Version2.5.2.1

Oracle ≫ Health Sciences Data Management Workbench Version3.0.0.0

Oracle ≫ Health Sciences Data Management Workbench Version3.1.0.3

Oracle ≫ Policy Automation Version >= 12.2.0 <= 12.2.24

Oracle ≫ Policy Automation For Mobile Devices Version >= 12.2.0 <= 12.2.24

Oracle ≫ Primavera Gateway Version >= 17.12.0 <= 17.12.11

Oracle ≫ Primavera Gateway Version >= 18.8.0 <= 18.8.13

Oracle ≫ Primavera Gateway Version >= 19.12.0 <= 19.12.12

Oracle ≫ Primavera Gateway Version >= 20.12.0 <= 20.12.7

Oracle ≫ Primavera Gateway Version21.12.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 19.12.0.0 <= 19.12.18.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 20.12.0.0 <= 20.12.12.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version21.12.0.0

Oracle ≫ Primavera Unifier Version18.8

Oracle ≫ Primavera Unifier Version19.12

Oracle ≫ Primavera Unifier Version20.12

Oracle ≫ Primavera Unifier Version21.12

Oracle ≫ Product Lifecycle Analytics Version3.6.1

Oracle ≫ Retail Order Broker Version18.0

Oracle ≫ Retail Order Broker Version19.1

Oracle ≫ Retail Xstore Point Of Service Version17.0.4

Oracle ≫ Retail Xstore Point Of Service Version18.0.3

Oracle ≫ Retail Xstore Point Of Service Version19.0.2

Oracle ≫ Retail Xstore Point Of Service Version20.0.1

Oracle ≫ Retail Xstore Point Of Service Version21.0.1

Oracle ≫ Siebel Ui Framework Version <= 21.12

Oracle ≫ Weblogic Server Version12.2.1.3.0

Oracle ≫ Weblogic Server Version12.2.1.4.0

Oracle ≫ Weblogic Server Version14.1.1.0.0

10.12.2021: CERT.at Warnung

https://www.cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-apache-log4j-bibliothek

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	53.59%	0.979

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.6	0.7	5.9	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	8.5	6.8	10	AV:N/AC:M/Au:S/C:C/I:C/A:C

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Third Party Advisory

http://www.openwall.com/lists/oss-security/2021/12/28/1