Published: 28/12/2021 Updated: 10/01/2022
CVSS v2 Base Score: 6 | Impact Score: 6.4 | Exploitability Score: 6.8
CVSS v3 Base Score: 6.6 | Impact Score: 5.9 | Exploitability Score: 0.7
Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

Vulnerability Summary

Apache Log4j2 versions 2.0-beta7 up to and including 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Most Upvoted Vulmon Research Post

If you have permission to modify the configuration file, then you already got the machine. How can it be a vulnerability?

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache log4j 2.0

apache log4j

Vendor Advisories

Debian Bug report logs - #1002813 apache-log4j2: CVE-2021-44832: remote code execution via JDBC Appender Package: src:apache-log4j2; Maintainer for src:apache-log4j2 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 29 Dec 2021 0 ...
Apache Log4j2 versions 20-beta7 through 2170 (excluding security fix releases 232 and 2124) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-784507: Apache Log4j Vulnerability (CVE-2021-44832) via JDBC Appender - Impact to Siemens Products Publication Date: 2021-12-28 Last Update: 2021-12-28 Current Version: 10 CVSS v31 Base Score: 66 SUMMARY ======= Apache Log4j2 versions 20-beta7 through 2170 ...

Github Repositories

fix_log4j 对于容器环境下的漏洞应急: 官方已发布修复版本log4j-2150,将相关受影响镜像升级到修复版本,然后升级线上服务,相对来说是最安全的方案; 但是升级版本,除了对业务稳定性带来的影响是未知的之外,对于像log4j这种组件,其使用非常广泛,受影响的镜像非常多,逐个修

CVE-2021-44832 CVE-2021-44832 is not really a vulnerability It is an Arbitrary Code Execution (ACE), not a Remote Code Execution (RCE) It can be only triggered by changing the config file If 2 is already the case, then you have a bigger problem (misconfiguration of your application and system) It is not a vulnerability (that you have to care about) by definition There is mor

Salesforce Marketing Cloud Java SDK The Salesforce Marketing Cloud Java SDK enables developers to easily access the Salesforce Marketing Cloud (formerly ExactTarget) via the Java platform Among other things, the SDK: automatically acquires and refreshes Marketing Cloud access tokens enables developers to access both Marketing Cloud SOAP and REST APIs in the same session

Mule-3xx standalone log4j2 update-script This is my first time writing a shell script, so I don't take any responsibility for anything Neither the contents, nor your system, before or after using this script Please make a backup, beforehand About This script will automate the steps laid out by mulesoft to update the log4j2 binaries in the mule 3xx standalone packag

Log4j 2170 RCE -- CVE-2021-44832 复现 启动恶意jndi server java -jar JNDI-Injection-Exploit-10-SNAPSHOT-alljar -C "/System/Applications/Calculatorapp/Contents/MacOS/Calculator" -A "127001" 修改config/log4j2xml中的DataSource部分为你生成的jndi地址 <?xml version="10" encod

KIWI - Kafka Interactive Web Interface Note: Security Vulnerability CVE-2021-44832 in log4j2 present in tags/releases before 081 A Kafka Web Interface, written to help my professional day to day role working with kafka, but provided here in the event anyone else may benefit from using it What this tool attempts to provide API versions of console scripts provided in kafka

Important!! Log4j security patch release: CVE-2021-44832 dec 28 2021 will also fix: CVE-2021-44228 & CVE-2021-45046 Check Ubuntu/Patches/Log4jSecurityFix_2171sh references: wwwwowzacom/docs/update-for-apache-log4j2-security-vulnerability cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-44832 loggingapacheorg/log4j/2x/

Log4j Vulnerabilities Mass Scanner Automated scan thousands hosts in your Active Directory domain in minutes, for Log4j vulnerabilities with multithreading mass scanner and detailed report Supported CVE(s): CVE-2021-4104, CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105 Details: Get enabled servers list from Active Directory Multithreading scan all doamain host

Log4Shell Scanner Log4Shell Scanner (log4shell-scanner-rs) is a CLI application written in Rust It scans the file system to find Java applications that may be vulnerable to Log4Shell related vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832) Detail of Log4Shell vulnerabilities affecting Log4j2: CVE Severity Fix version (min Java version)

CVE-2021-44228-log4j discovery (Download the MKP package) This plugin discovers vulnerable files for the CVE-2021-44228-log4j issue To discover this files it uses the CVE-2021-44228-Scanner from logpresso The scanner (and so the plugin) can discover the following log4j issues CVE-2021-44228 CVE-2021-4104 CVE-2021-42550 CVE-2021-45105 CVE-2021-45046 CVE-2021-44832 RCE Note: I

Shulkr Shulkr is a tool that decompiles multiple versions of Minecraft and commits each version to Git Warning: You CANNOT publish any code generated by this tool For more info, see the usage guidelines Version 033 fixed a major bug with the commit generation It is recommended to remove all commits create before this and recreate them with the patch No Log4j Vulnerabili

Log4Shell Vulnerable Java App Paul McCarty January 10, 2022 based on the Jasmin project CVE's in scope for this document: CVE-2021-44228 CVE-2021-4104 CVE-2021-44832 CVE-2021-45046 CVE-2021-45105

CVE-2021-44228-log4j discovery (Download the MKP package) This plugin discovers vulnerable files for the CVE-2021-44228-log4j issue To discover this files it uses the CVE-2021-44228-Scanner from logpresso The scanner (and so the plugin) can discover the following log4j issues CVE-2021-44228 CVE-2021-4104 CVE-2021-42550 CVE-2021-45105 CVE-2021-45046 CVE-2021-44832 RCE Note: I

Log4J-Mitigation-CVE-2021-44228,CVE-2021-45046,CVE-2021-45105,CVE-2021-44832 Please keep an eye on this page as Apache Log4j team is disclosing a lot more CVE and fixing security issues very rapidly Update - 28-Dec-2021 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration Fixed in Log4j 2171 (Java 8), 2124 (Java 7) and 23

Recent Articles

Four million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz
The Register • Gareth Corfield • 11 Jan 2022

Get our weekly newsletter It's not as though folks haven't been warned about this

There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository.
That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks.
Tracked as CVE-2021...

You better have patched those Log4j holes or we'll see what a judge has to say – FTC
The Register • Thomas Claburn in San Francisco • 05 Jan 2022

Get our weekly newsletter Apply fixes responsibly in a timely manner or face the wrath of Lina Khan

The US Federal Trade Commission on Tuesday warned companies that vulnerable Log4j software needs to be patched … or else.
In case any system administrators last month somehow missed the widespread alarm over vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) in the Java logging package, the trade watchdog said Log4j continues to be exploited by a growing number of attackers and urged organizations to act now before it's too late.
The FTC is advising companies to consu...

Microsoft Sees Rampant Log4j Exploit Attempts, Testing
Threatpost • Lisa Vaas • 04 Jan 2022

No surprise here: The holidays bought no Log4Shell relief.
Threat actors vigorously launched exploit attempts and testing during the last weeks of December, Microsoft said on Monday, in the latest update to its landing page and guidance around the flaws in Apache’s Log4j logging library.
“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” according to Micro...

Log4j 2.17.1 out now, fixes new remote code execution bug
BleepingComputer • Ax Sharma • 28 Dec 2021

Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832.
Prior to today, 2.17.0 was the most recent version of Log4j and deemed the safest release to upgrade to, but that advice has now evolved.
Mass exploitation of the original
(CVE-2021-44228) by threat actors began around December 9th, when a
 for it surfaced on GitHub.
Given Log4j's vast usage in the majority...