6.6
CVSSv3

CVE-2021-44832

Published: 28/12/2021 Updated: 21/11/2024

Vulnerability Summary

Apache Log4j2 versions 2.0-beta7 up to and including 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache log4j

apache log4j 2.0

oracle communications diameter signaling router

oracle communications interactive session recorder 6.3

oracle communications interactive session recorder 6.4

oracle primavera gateway

oracle primavera gateway 21.12.0

oracle primavera p6 enterprise project portfolio management

oracle primavera p6 enterprise project portfolio management 21.12.0.0

oracle primavera unifier 18.8

oracle primavera unifier 19.12

oracle primavera unifier 20.12

oracle primavera unifier 21.12

oracle retail assortment planning 16.0.3

oracle retail fiscal management 14.2

oracle siebel ui framework 21.12

oracle weblogic server 12.2.1.3.0

oracle weblogic server 12.2.1.4.0

oracle weblogic server 14.1.1.0.0

cisco cloudcenter 4.10.0.16

fedoraproject fedora 34

fedoraproject fedora 35

debian debian linux 9.0

oracle communications brm - elastic charging engine

oracle communications brm - elastic charging engine 12.0.0.5.0

oracle communications offline mediation controller

oracle communications offline mediation controller 12.0.0.5.0

oracle flexcube private banking 12.1.0

oracle health sciences data management workbench 2.5.2.1

oracle health sciences data management workbench 3.0.0.0

oracle health sciences data management workbench 3.1.0.3

oracle policy automation

oracle policy automation for mobile devices

oracle product lifecycle analytics 3.6.1

oracle retail order broker 18.0

oracle retail order broker 19.1

oracle retail xstore point of service 17.0.4

oracle retail xstore point of service 18.0.3

oracle retail xstore point of service 19.0.2

oracle retail xstore point of service 20.0.1

oracle retail xstore point of service 21.0.1

oracle siebel ui framework

Vendor Advisories

Debian Bug report logs - #1002813 apache-log4j2: CVE-2021-44832: remote code execution via JDBC Appender Package: src:apache-log4j2; Maintainer for src:apache-log4j2 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 29 Dec 2021 0 ...
Synopsis Low: Red Hat JBoss Enterprise Application Platform 744 security update Type/Severity Security Advisory: Low Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic A security update is now available for Red Hat JBoss Enterprise Application Platform 74 for Red ...
Synopsis Moderate: OpenShift Container Platform 4654 extras and security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4654 is now available with updates to packages and images that fix several bugsThis release includes a security update for Red Hat OpenShift Container Platform 46Re ...
Synopsis Low: Red Hat JBoss Enterprise Application Platform 744 security update Type/Severity Security Advisory: Low Topic A security update is now available for Red Hat JBoss Enterprise Application Platform 74Red Hat Product Security has rated this update as having a security impact of Low A Common Vulnerability Scoring System (CVSS) ba ...
Synopsis Moderate: OpenShift Container Platform 4831 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4831 is now available withupdates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift Container Platfo ...
Synopsis Moderate: OpenShift Container Platform 4743 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4743 is now available withupdates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift Container Platfo ...
Synopsis Low: Red Hat JBoss Enterprise Application Platform 744 security update Type/Severity Security Advisory: Low Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic A security update is now available for Red Hat JBoss Enterprise Application Platform 74 for Red ...
Synopsis Important: Red Hat AMQ Streams 167 release and security update Type/Severity Security Advisory: Important Topic Red Hat AMQ Streams 167 is now available from the Red Hat Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, ...
Apache Log4j2 versions 20-beta7 through 2170 (excluding security fix releases 232 and 2124) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute ...
Apache Log4j2 versions 20-beta7 through 2170 (excluding security fix releases 232 and 2124) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute ...
Critical Vulnerabilities in Apache Log4j Java Logging Library On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2150 was disclosed: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoin ...
ALAS-2022-225 Amazon Linux 2022 Security Advisory: ALAS-2022-225 Advisory Release Date: 2022-12-06 16:42 Pacific ...
Apache Log4j2 versions 20-beta7 through 2170 (excluding security fix releases 232 and 2124) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute ...
Citrix is aware of four vulnerabilities affecting Apache Log4j2, three of which may allow an attacker to execute arbitrary code These three vulnerabilities have been given the following identifiers:  ...

Mailing Lists

Severity: moderate Description: Apache Log4j2 versions 20-beta7 through 2170 (excluding security fix releases 232 and 2124) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source refe ...

Github Repositories

Playbooks for setting up a Red Hat Advanced Cluster Security demo/workshop for log4shell vulnerability

Red Hat Advanced Cluster Security workshop - Run-Time Log4Shell Vulnerability Prevention Demo Overview Run-Time Vulnerability Prevention demonstrates the capabilities of Red Hat Advanced Cluster Security for cloud native applications in OpenShift and any xKS environment The industry is quickly moving to a DevSecOps Model, and shifting security to the left to secure build, depl

fix_log4j 对于容器环境下的漏洞应急: 官方已发布修复版本log4j-2150,将相关受影响镜像升级到修复版本,然后升级线上服务,相对来说是最安全的方案; 但是升级版本,除了对业务稳定性带来的影响是未知的之外,对于像log4j这种组件,其使用非常广泛,受影响的镜像非常多,逐个修

Goal Configure dependency-check-maven in a parent POM, allowing suppressions to be loaded from a known location (src/build/suppressionsxml) in a child project (if defined), based on the configuration described in jeremylong/DependencyCheck#3947 (comment) Running the reactor build: Note that the suppressions are not loaded (for the full output with debug logging turned on see

A tool that scans archives to check for vulnerable log4j versions

log4j-sniffer log4j-sniffer crawls for all instances of log4j on disk within a specified directory It can be used to determine whether there are any vulnerable instances of log4j within a directory tree and report or delete them depending on the mode used Scanning for versions affected by CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832 is currently supported

A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC

Log4-detector Scanner that detects vulnerable Log4J versions to help teams assess their exposure to CVE-2021-44228 (CRITICAL), CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832 Can search for Log4J instances by carefully examining the complete file-system, including all installed applications It is able to find Log4J instances that are hidden several layers deep Works on Li

EFK 설치 가이드 개요 EFK는 Elasticsearch, Fluentd 그리고 Kibana 세 개의 플랫폼 조합으로 클러스터 환경에서의 로그 수집, 검색 그리고 시각화를 제공한다 각 k8s 클러스터에 fluentd가 daemonset으로 log를 수집하여 elasticsearch에 적재하면, elasticsearch는 요청에 따른 검색 기능을 제공한다 kibana는 elast

Locate log4j vunerable files

find_log4j Locate vunerable log4j files The current advice is to upgrade for log4j v2172, this script can help find older versions Description The script tries to find log4j jar files and match their filenames, if found it checks the sha256 hash to compare If the filename is log4j-corejar or log4j-apijar, then it gets the hash and tries to match hash instead of filename

The complete ph websuite

ph-oton This set of Java libraries forms a package to build Java web applications Contained subprojects are: ph-oton-html - Java wrapper for all HTML elements and attributes ph-oton-jscode - a Java code model to build structured JS code ph-oton-jquery - an extension to ph-html-jscode to also support jQuery ph-oton-atom - ATOM newsfeed stuff ph-oton-io - basic IO stuff (sinc

log4j2demo

Apache log4j2 远程命令执行漏洞 2021-12-27 重要更新: 根据官网消息,2160和2170版本包暴露了新的漏洞(CVE-2021-45105)和(CVE-2021-44832)。建议升级到2171版本。 2021-12-18重要更新: 根据Apache Log4j2官网信息,针对漏洞CVE-2021-44228的临时规避方案,除了删除class之外,其他设置formatMsgNoLookups等环境变

Discover Log4Shell vulnerability [CVE-2021-44832]

Log4j Scanner Discover Log4Shell vulnerability [CVE-2021-44832] in your files and directories Description This Rust-based Log4j Scanner is designed to help you identify and locate vulnerable files that may contain the Log4Shell vulnerability [CVE-2021-44832] It scans files and directories to find instances of Loggerclass files with "log4j" in their names or JAR fil

Playbooks for setting up a Red Hat Advanced Cluster Security demo/workshop for log4shell vulnerability

Red Hat Advanced Cluster Security workshop - Run-Time Log4Shell Vulnerability Prevention Demo Overview Run-Time Vulnerability Prevention demonstrates the capabilities of Red Hat Advanced Cluster Security for cloud native applications in OpenShift and any xKS environment The industry is quickly moving to a DevSecOps Model, and shifting security to the left to secure build, depl

log4jScan_demo ------------------------------------------------------------------------------------------ |githubcom/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words | |githubcom/YfryTchsGD/Log4jAttackSurface | |githubcom/christophetd/log4shell-vulnerable-app

Playbooks for setting up a Red Hat Advanced Cluster Security demo/workshop for log4shell vulnerability

Red Hat Advanced Cluster Security workshop - Run-Time Log4Shell Vulnerability Prevention Demo Overview Run-Time Vulnerability Prevention demonstrates the capabilities of Red Hat Advanced Cluster Security for cloud native applications in OpenShift and any xKS environment The industry is quickly moving to a DevSecOps Model, and shifting security to the left to secure build, depl

A hash utility, est. 2002, FLOSS. 489 hash functions, HMAC support, cross platform, feature-rich, multi threaded. CLI and API. Recursive hashing, predefined and customizable formats, verify data integrity and find ok/failed/missing/new files, find files by their hashes, find the hash function to a hash. GUI provided by HashGarten.

Jacksum Jacksum (JAva ChecKSUM) is a free, open source, cross-platform, feature-rich, multi-threaded, command line utility that makes hash functions available to you to solve particular tasks the smart way Jacksum covers many types of use cases in which hash values make sense: Calculating of hash values/fingerprints of almost any input (command line arg, console, standard in

Scan systems and docker images for potential log4j vulnerabilities. Able to patch (remove JndiLookup.class) from layered archives. Will detect in-depth (layered archives jar/zip/tar/war and scans for vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105). Binaries for Windows, Linux and OsX, but can be build on each platfo…

divd-2021-00038--log4j-scanner This scanner will recursively scan paths including archives for vulnerable log4j versions and org/apache/logging/log4j/core/lookup/JndiLookupclass files Currently the allow list defines non exploitable versions, in this case log4j-core 2170 and 2123

A script that automates the steps needed to update the log4j2 binaries in a mule 3.x.x standalone installation. To remedy the log4shell vulnerabilities.

Mule-3xx standalone log4j2 update-script This is my first time writing a shell script, so I don't take any responsibility for anything Neither the contents, nor your system, before or after using this script Please make a backup, beforehand About This script will automate the steps laid out by mulesoft to update the log4j2 binaries in the mule 3xx standalone packag

Scanner recursivo de arquivos desenvolvido em Python 3 para localização e varredura de versões vulneráveis do Log4j2, contemplando análise interna de arquivos JAR (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 e CVE-2021-44832)

████████████████▀███████████████████████████████████████████████████████████████████ █▄─▄███─▄▄─█─▄▄▄▄█░█░████▄─▄█▀▀▀▀▀██▄─▄▄─█

A standard pkg installer to apply the IBM SPSS Statistics log4j fixes.

Fix pack for SPSS log4j vulnerabilities Applies the log4j 2171 fixes recomended by IBM for log4j vulnerabilities (Security bulletin copied below) There is a prebuilt signed pkg located in the build directory You can deploy it using whatever means ** created using munkipkg Document Source: wwwibmcom/support/pages/apache-log4j-cve-2021-44228-vulnerability-ibm-spss

Patch Pulsar Docker images with Log4J 2.17.1 update to mitigate Apache Log4J Security Vulnerabilities including Log4Shell

Patch pulsar images with Apache Log4J 2171 upgrade Covers CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 CVE-2021-44832 See Log4J Security Vulnerabilities and upgrades for more information see the Dockerfile for the solution Building and pushing patched docker images example usage: # build and tag image docker build --build-arg=ORIGINAL_IMAGE=apachepulsar/pulsar-all:281

Demo Repositories of Cycode and AWS Collaboration Live Stream on Twitch!

Demo Repositories of Cycode and AWS Collaboration Live Stream on Twitch! Cycode research team collaborated with the AWS Development Relations team to promote a series of streams live-showing interesting security concepts for the development community The series is called #TheBigDevTheory, and together with AWS, we did three streams covering various aspects of securing CI/CD pr

Conftest Snyk Demos The following demos show how to use conftest with Snyk to break builds based on certain conditions Conftest is a utility to help you write tests against structured configuration data For instance, you could write tests for your Kubernetes configurations, Tekton pipeline definitions, Terraform code, Serverless configs or any other structured data In this c

log4j-sniffer log4j-sniffer crawls for all instances of log4j on disk within a specified directory It can be used to determine whether there are any vulnerable instances of log4j within a directory tree and report or delete them depending on the mode used Scanning for versions affected by CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832 is currently supported

Demonstration of the Log4Shell vulnerability

Log4Shell lab This tutorial, including all code and documentation, is provided for educational and research purposes only It aims to enhance understanding of cybersecurity vulnerabilities, defensive strategies, and the importance of maintaining secure systems The demonstration of the Log4Shell vulnerability is intended to inform developers, security professionals, and educat

Common Vulnerabilities and Exposures (CVEs) are a standardized way of cataloging vulnerabilities in software When a security vulnerability is discovered, it can be assigned a CVE identifier to ensure that information about the vulnerability can be shared and referenced across different platforms and organizations CVEs are currently maintained as freeform text descriptions of

Log4-detector Scanner that detects vulnerable Log4J versions to help teams assess their exposure to CVE-2021-44228 (CRITICAL), CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832 Can search for Log4J instances by carefully examining the complete file-system, including all installed applications It is able to find Log4J instances that are hidden several layers deep Works on Li

kiwi-kafka - A Kafka Web Interface

KIWI - Kafka Interactive Web Interface Note: Security Vulnerability CVE-2021-44832 in log4j2 present in tags/releases before 081 A Kafka Web Interface, written to help my professional day to day role working with kafka, but provided here in the event anyone else may benefit from using it What this tool attempts to provide API versions of console scripts provided in kafka

Getting up and running with Snyk CLI

Getting Started with Snyk CLI This guide is provided as a quick reference to getting started with Snyk CLI We will use an existing repository during a set of tests we run showing how to perform common tasks with the Snyk CLI Note: This does not attempt to replace the Snyk Docs which go into far more details but instead aid in a quick start with the snyk CLI Step 1 - Installing

A simple to use Java code classes for the Browser Capabilities Project (Browscap.org) project.

browscap4jFileReader A simple to use Java code classes, for embedding into your own projects, using the Browser Capabilities Project browscapcsv file, which can be download from here Which fields from browscapcsv are actual, mostly unmaintained or deprecated, can determined from following link: Resource: User Agents Database Changes to Version 12 2022-04-19 - Vulnerability -

Scans the file system to find Log4Shell vulnerabilities.

Log4Shell Scanner Log4Shell Scanner (log4shell-scanner-rs) is a CLI application written in Rust It scans the file system to find Java applications that may be vulnerable to Log4Shell related vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) Detail of Log4Shell vulnerabilities affecting Log4j2: CVE Severity Fix version (min Java version)

Salesforce Marketing Cloud Java SDK

Salesforce Marketing Cloud Java SDK The Salesforce Marketing Cloud Java SDK enables developers to easily access the Salesforce Marketing Cloud (formerly ExactTarget) via the Java platform Among other things, the SDK: automatically acquires and refreshes Marketing Cloud access tokens enables developers to access both Marketing Cloud SOAP and REST APIs in the same session

Log4j 2170 RCE -- CVE-2021-44832 复现 启动恶意jndi server java -jar JNDI-Injection-Exploit-10-SNAPSHOT-alljar -C "/System/Applications/Calculatorapp/Contents/MacOS/Calculator" -A "127001" 修改config/log4j2xml中的DataSource部分为你生成的jndi地址 <?xml version="10" encod

Patching the Log4j vulnerability in Gluu Server Gluu Server versions covered: Gluu v4, v3 ( from 315 to 318 ), Enterprise Edition, Cloud Native and Snapcraft Security Vulnerabilities: CVE-2021-44832, CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228 Log4j library versions affected: 216 and earlier   Overview: On December 17th, Apache announced critical vulnerabi

Fast filesystem scanner for CVE-2021-44228

Filesystem log4j_scanner for windows and Unix Scanning for CVE-2021-44228, CVE-2021-45046, CVE-2019-17571, CVE-2021-44832 Requires a minimum of Python 27 Can be executed as Custom Script Rule of an Audit or via a Server Script with Server Automation Also executable standalone from the command line Reference githubcom/hillu/local-log4j-vuln-scanner/ github

Scanner recursivo de arquivos desenvolvido em Python 3 para localização e varredura de versões vulneráveis do Log4j2, contemplando análise interna de arquivos JAR (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 e CVE-2021-44832)

████████████████▀███████████████████████████████████████████████████████████████████ █▄─▄███─▄▄─█─▄▄▄▄█░█░████▄─▄█▀▀▀▀▀██▄─▄▄─█

🚨 Log4Shell: CVE-2021-44228 🚨 ❓ What is Log4Shell? The Log4Shell attack was a widespread Java exploit targeting a common logging package (Log4j) for remote code execution It leveraged a critical vulnerability in the Log4j library, enabling attackers to execute arbitrary code remotely via crafted log messages Despite the ubiquity of Log4j in various software frameworks

The Clouditor is a tool to support continuous cloud assurance. Developed by Fraunhofer AISEC.

Clouditor Community Edition NoteNote: We are currently preparing a v2 release of Clouditor, which will be somewhat incompatible with regards to storage to v1 The APIs will remain largely the same, but will be improved and cleaned We will regularly release pre-release v2 versions, but do not have a concrete time-frame for a stable v2 yet If you are looking for a stable ve

Recent Articles

IT threat evolution in Q3 2022. Non-mobile statistics
Securelist • AMR • 18 Nov 2022

IT threat evolution in Q3 2022 IT threat evolution in Q3 2022. Non-mobile statistics IT threat evolution in Q3 2022. Mobile statistics These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data. Quarterly figures According to Kaspersky Security Network, in Q3 2022: Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe. Web Anti-Virus recognized 251,288,987...

Four million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz
The Register • Gareth Corfield • 11 Jan 2022

Get our weekly newsletter It's not as though folks haven't been warned about this

There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository. That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks. Tracked as CVE-2021-44228 aka L...

You better have patched those Log4j holes or we'll see what a judge has to say – FTC
The Register • Thomas Claburn in San Francisco • 05 Jan 2022

Get our weekly newsletter Apply fixes responsibly in a timely manner or face the wrath of Lina Khan

The US Federal Trade Commission on Tuesday warned companies that vulnerable Log4j software needs to be patched … or else. In case any system administrators last month somehow missed the widespread alarm over vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) in the Java logging package, the trade watchdog said Log4j continues to be exploited by a growing number of attackers and urged organizations to act now before it's too late. The FTC is advising companies to consult the US Cy...

Two years on, 1 in 4 apps still vulnerable to Log4Shell
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Lack of awareness still blamed for patching apathy despite it being among most infamous bugs of all time

Two years after the Log4Shell vulnerability in the open source Java-based Log4j logging utility was disclosed, circa one in four applications are dependent on outdated libraries, leaving them open to exploitation. Research from security shop Veracode revealed that the vast majority of vulnerable apps may never have updated the Log4j library after it was implemented by developers as 32 percent were running pre-2015 EOL versions. Prior investigations from Veracode also showed that 79 percent of al...