6.6
CVSSv3

CVE-2021-44832

Published: 28/12/2021 Updated: 25/07/2022
CVSS v2 Base Score: 8.5 | Impact Score: 10 | Exploitability Score: 6.8
CVSS v3 Base Score: 6.6 | Impact Score: 5.9 | Exploitability Score: 0.7
Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C

Vulnerability Summary

Apache Log4j2 versions 2.0-beta7 up to and including 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Most Upvoted Vulmon Research Post

If you have permission to modify the configuration file, then you already got the machine. How can it be a vulnerability?

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache log4j 2.0

apache log4j

oracle weblogic server 12.2.1.3.0

oracle primavera unifier 18.8

oracle weblogic server 12.2.1.4.0

oracle primavera unifier 19.12

oracle weblogic server 14.1.1.0.0

oracle primavera unifier 20.12

oracle communications interactive session recorder 6.3

oracle communications interactive session recorder 6.4

oracle primavera gateway

oracle retail assortment planning 16.0.3

oracle primavera unifier 21.12

oracle primavera p6 enterprise project portfolio management 21.12.0.0

oracle primavera p6 enterprise project portfolio management

oracle primavera gateway 21.12.0

oracle retail fiscal management 14.2

oracle siebel ui framework 21.12

oracle communications diameter signaling router

cisco cloudcenter 4.10.0.16

fedoraproject fedora 34

fedoraproject fedora 35

debian debian linux 9.0

oracle siebel ui framework

Vendor Advisories

Debian Bug report logs - #1002813 apache-log4j2: CVE-2021-44832: remote code execution via JDBC Appender Package: src:apache-log4j2; Maintainer for src:apache-log4j2 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 29 Dec 2021 0 ...
Synopsis Moderate: OpenShift Container Platform 4654 extras and security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4654 is now available with updates to packages and images that fix several bugsThis release includes a security update for Red Hat OpenShift Container Platform 46Re ...
Synopsis Important: Red Hat AMQ Streams 167 release and security update Type/Severity Security Advisory: Important Topic Red Hat AMQ Streams 167 is now available from the Red Hat Customer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, ...
Synopsis Low: Red Hat JBoss Enterprise Application Platform 744 security update Type/Severity Security Advisory: Low Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic A security update is now available for Red Hat JBoss Enterprise Application Platform 74 for Red ...
Synopsis Low: Red Hat JBoss Enterprise Application Platform 744 security update Type/Severity Security Advisory: Low Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic A security update is now available for Red Hat JBoss Enterprise Application Platform 74 for Red ...
Synopsis Low: Red Hat JBoss Enterprise Application Platform 744 security update Type/Severity Security Advisory: Low Topic A security update is now available for Red Hat JBoss Enterprise Application Platform 74Red Hat Product Security has rated this update as having a security impact of Low A Common Vulnerability Scoring System (CVSS) ba ...
Apache Log4j2 versions 20-beta7 through 2170 (excluding security fix releases 232 and 2124) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute ...
Apache Log4j2 versions 20-beta7 through 2170 (excluding security fix releases 232 and 2124) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute ...
Synopsis Moderate: OpenShift Container Platform 4743 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4743 is now available withupdates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift Container Platfo ...
Synopsis Moderate: OpenShift Container Platform 4831 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4831 is now available withupdates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift Container Platfo ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-784507: Apache Log4j Vulnerability (CVE-2021-44832) via JDBC Appender - Impact to Siemens Products Publication Date: 2021-12-28 Last Update: 2021-12-28 Current Version: 10 CVSS v31 Base Score: 66 SUMMARY ======= Apache Log4j2 versions 20-beta7 through 2170 ...
Apache Log4j2 versions 20-beta7 through 2170 (excluding security fix releases 232 and 2124) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute ...
Critical Vulnerabilities in Apache Log4j Java Logging Library On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2150 was disclosed: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoin ...
Citrix is aware of four vulnerabilities affecting Apache Log4j2, three of which may allow an attacker to execute arbitrary code These three vulnerabilities have been given the following identifiers:  ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-661247: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - - Impact to Siemens Products Publication Date: 2021-12-13 Last Update: 2022-02-08 Current Version: 25 CVSS v31 Base Score: 100 SUMMARY ======= On 2021-12-09, a vulnerability in ...

Github Repositories

Jacksum Jacksum (JAva ChecKSUM) is a free, open source, cross-platform, feature-rich, multi-threaded command line tool for calculating hash values, verifying data integrity, finding files by their fingerprints, and finding algorithms to hash values Jacksum supports 472 hash functions, both cryptographic and non-cryptographic hash functions including CRCs and classic checksums:

fix_log4j 对于容器环境下的漏洞应急: 官方已发布修复版本log4j-2150,将相关受影响镜像升级到修复版本,然后升级线上服务,相对来说是最安全的方案; 但是升级版本,除了对业务稳定性带来的影响是未知的之外,对于像log4j这种组件,其使用非常广泛,受影响的镜像非常多,逐个修

CVE-2021-44832 CVE-2021-44832 is not really a vulnerability It is an Arbitrary Code Execution (ACE), not a Remote Code Execution (RCE) It can be only triggered by changing the config file If 2 is already the case, then you have a bigger problem (misconfiguration of your application and system) It is not a vulnerability (that you have to care about) by definition There is mor

Amazon MSK Library for AWS Identity and Access Management License This project is licensed under the Apache-20 License Introduction The Amazon MSK Library for AWS Identity and Access Management enables developers to use AWS Identity and Access Management (IAM) to connect to their Amazon Managed Streaming for Apache Kafka (Amazon MSK) clusters It allows JVM based Apache Kafka

Salesforce Marketing Cloud Java SDK The Salesforce Marketing Cloud Java SDK enables developers to easily access the Salesforce Marketing Cloud (formerly ExactTarget) via the Java platform Among other things, the SDK: automatically acquires and refreshes Marketing Cloud access tokens enables developers to access both Marketing Cloud SOAP and REST APIs in the same session

Mule-3xx standalone log4j2 update-script This is my first time writing a shell script, so I don't take any responsibility for anything Neither the contents, nor your system, before or after using this script Please make a backup, beforehand About This script will automate the steps laid out by mulesoft to update the log4j2 binaries in the mule 3xx standalone packag

Log4j 2170 RCE -- CVE-2021-44832 复现 启动恶意jndi server java -jar JNDI-Injection-Exploit-10-SNAPSHOT-alljar -C "/System/Applications/Calculatorapp/Contents/MacOS/Calculator" -A "127001" 修改config/log4j2xml中的DataSource部分为你生成的jndi地址 <?xml version="10" encod

KIWI - Kafka Interactive Web Interface Note: Security Vulnerability CVE-2021-44832 in log4j2 present in tags/releases before 081 A Kafka Web Interface, written to help my professional day to day role working with kafka, but provided here in the event anyone else may benefit from using it What this tool attempts to provide API versions of console scripts provided in kafka

browscap4jFileReader A simple to use Java code classes, for embedding into your own projects, using the Browser Capabilities Project browscapcsv file, which can be download from here Which fields from browscapcsv are actual, mostly unmaintained or deprecated, can determined from following link: Resource: User Agents Database Changes to Version 12 2022-04-19 - Vulnerability -

MarkLogic Content Pump and MarkLogic Connector for Hadoop MarkLogic Content Pump (mlcp) is a command-line tool that provides the fastest way to import, export, and copy data to or from MarkLogic databases Core features of mlcp include: Bulk load billions of local files Split and load large, aggregate XML files or delimited text Bulk load billions of triples or quads from RDF

Important!! Log4j security patch release: CVE-2021-44832 dec 28 2021 will also fix: CVE-2021-44228 & CVE-2021-45046 Check Ubuntu/Patches/Log4jSecurityFix_2171sh references: wwwwowzacom/docs/update-for-apache-log4j2-security-vulnerability cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-44832 loggingapacheorg/log4j/2x/

CSV-Compare - How To Use CSV-Compare is a tool for comparing vulnerability scans as reported in CSV files outputted by mergebase and OWASP-Dependency-Check tools Simply provide the two *csv files you wish to compare as input Vulnerabilities are catagorized based on whether they appeared in "both" result sets, MergeBase-Only, or Dependency-Check-Only $ java -jar cs

Log4j Vulnerabilities Mass Scanner Automated scan thousands hosts in your Active Directory domain in minutes, for Log4j vulnerabilities with multithreading mass scanner and detailed report Supported CVE(s): CVE-2021-4104, CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105 Details: Get enabled servers list from Active Directory Multithreading scan all doamain host

Log4Shell Scanner Log4Shell Scanner (log4shell-scanner-rs) is a CLI application written in Rust It scans the file system to find Java applications that may be vulnerable to Log4Shell related vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) Detail of Log4Shell vulnerabilities affecting Log4j2: CVE Severity Fix version (min Java version)

Red Hat Advanced Cluster Security workshop - Run-Time Log4Shell Vulnerability Prevention Demo What is Log4Shell? Log4Shell is a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications The vulnerability, published as CVE-2021-44228, enables a remote attacker to take control of a device on the internet if the device is running

Dependency Check Sample OWASP Dependency Checkを使用したサンプルレポジトリです。 OWASP Dependency Checkとは? OWASP: ソフトウェアセキュリティに関する情報共有やツール開発などを行っている非営利団体 OWASP Dependency Check: アプリケーションの依存関係に対し、既知の脆弱性が含まれているかスキ

CVE-2021-44228-log4j discovery (Download the MKP package) This plugin discovers vulnerable files for the CVE-2021-44228-log4j issue To discover this files it uses the CVE-2021-44228-Scanner from logpresso The scanner (and so the plugin) can discover the following log4j issues CVE-2021-44228 CVE-2021-4104 CVE-2021-42550 CVE-2021-45105 CVE-2021-45046 CVE-2021-44832 RCE Note: I

Shulkr Shulkr is a tool that decompiles multiple versions of Minecraft and commits each version to Git Warning: You CANNOT publish any code generated by this tool For more info, see the usage guidelines Version 033 fixed a major bug with the commit generation It is recommended to remove all commits create before this and recreate them with the patch No Log4j Vulnerabili

Red Hat Advanced Cluster Security demo/workshop for log4shell Vulnerability Demo What is Log4Shell? Log4Shell is a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications The vulnerability, published as CVE-2021-44228, enables a remote attacker to take control of a device on the internet if the device is running certain versi

Red Hat Advanced Cluster Security workshop - Run-Time Log4Shell Vulnerability Prevention Demo What is Log4Shell? Log4Shell is a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications The vulnerability, published as CVE-2021-44228, enables a remote attacker to take control of a device on the internet if the device is running

Log4Shell Vulnerable Java App Paul McCarty January 10, 2022 based on the Jasmin project CVE's in scope for this document: CVE-2021-44228 CVE-2021-4104 CVE-2021-44832 CVE-2021-45046 CVE-2021-45105

Log4J-Mitigation-CVE-2021-44228,CVE-2021-45046,CVE-2021-45105,CVE-2021-44832 Please keep an eye on this page as Apache Log4j team is disclosing a lot more CVE and fixing security issues very rapidly Update - 28-Dec-2021 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration Fixed in Log4j 2171 (Java 8), 2124 (Java 7) and 23

CVE-2021-44228-log4j discovery (Download the MKP package) This plugin discovers vulnerable files for the CVE-2021-44228-log4j issue To discover this files it uses the CVE-2021-44228-Scanner from logpresso The scanner (and so the plugin) can discover the following log4j issues CVE-2021-44228 CVE-2021-4104 CVE-2021-42550 CVE-2021-45105 CVE-2021-45046 CVE-2021-44832 RCE Note: I

log4j-resources Collection of resources for responding to the Log4j set of vulnerabilities (Pluralsight - Log4j Vulnerability: What you should know)[apppluralsightcom/library/courses/log4j-vulnerability-what-you-should-know/] The current recommendation for remediation teams is to immediately path to the newest version of log4j Vulnerabilities The remote code executi

Dynatrace AppSec Powerup Automated Security Reporting Utility for for Dynatrace Security Features Built with log4j in mind, the remediator provides the ability to: Tag CVE's within a tenant Manage CVE's in the form of Management Zones, Dashboards Build Reports on CVE's across Environments With the CVE tagger auto_tag and CVE configuratior push_configs users can

PoC in GitHub 2022 CVE-2022-0185 (2022-02-11) A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a f

Recent Articles

Four million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz
The Register • Gareth Corfield • 11 Jan 2022

Get our weekly newsletter It's not as though folks haven't been warned about this

There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository.
That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks.
Tracked as CVE-2021...

You better have patched those Log4j holes or we'll see what a judge has to say – FTC
The Register • Thomas Claburn in San Francisco • 05 Jan 2022

Get our weekly newsletter Apply fixes responsibly in a timely manner or face the wrath of Lina Khan

The US Federal Trade Commission on Tuesday warned companies that vulnerable Log4j software needs to be patched … or else.
In case any system administrators last month somehow missed the widespread alarm over vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) in the Java logging package, the trade watchdog said Log4j continues to be exploited by a growing number of attackers and urged organizations to act now before it's too late.
The FTC is advising companies to consu...

Microsoft Sees Rampant Log4j Exploit Attempts, Testing
Threatpost • Lisa Vaas • 04 Jan 2022

No surprise here: The holidays bought no Log4Shell relief.
Threat actors vigorously launched exploit attempts and testing during the last weeks of December, Microsoft said on Monday, in the latest update to its landing page and guidance around the flaws in Apache’s Log4j logging library.
“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” according to Micro...

Log4j 2.17.1 out now, fixes new remote code execution bug
BleepingComputer • Ax Sharma • 28 Dec 2021

Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832.
Prior to today, 2.17.0 was the most recent version of Log4j and deemed the safest release to upgrade to, but that advice has now evolved.
Mass exploitation of the original
(CVE-2021-44228) by threat actors began around December 9th, when a
 for it surfaced on GitHub.
Given Log4j's vast usage in the majority...