{"containers": {"cna": {"affected": [{"product": "Apache Log4j2", "vendor": "Apache Software Foundation", "versions": [{"changes": [{"at": "2.13.0", "status": "affected"}, {"at": "2.12.4", "status": "unaffected"}, {"at": "2.4", "status": "affected"}, {"at": "2.3.2", "status": "unaffected"}, {"at": "2.0-beta7", "status": "affected"}], "lessThan": "2.17.1", "status": "affected", "version": "log4j-core", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:41:33.000Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"}, {"tags": ["x_refsource_MISC"], "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"}, {"name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"}, {"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"}, {"name": "FEDORA-2021-c6f471ce0f", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"}, {"name": "FEDORA-2021-1bd9151bab", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "source": {"defect": ["LOG4J2-3293", ""], "discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2021-12-27T00:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2021-12-27T00:00:00.000Z", "value": "patch proposed, 2.17.1-rc1"}, {"lang": "en", "time": "2021-12-28T00:00:00.000Z", "value": "fixed"}, {"lang": "en", "time": "2021-12-28T00:00:00.000Z", "value": "public"}], "title": "Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-44832", "STATE": "PUBLIC", "TITLE": "Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Log4j2", "version": {"version_data": [{"version_affected": "<", "version_name": "log4j-core", "version_value": "2.17.1"}, {"version_affected": ">=", "version_name": "log4j-core", "version_value": "2.13.0"}, {"version_affected": "<", "version_name": "log4j-core", "version_value": "2.12.4"}, {"version_affected": ">=", "version_name": "log4j-core", "version_value": "2.4"}, {"version_affected": "<", "version_name": "log4j-core", "version_value": "2.3.2"}, {"version_affected": ">=", "version_name": "log4j-core", "version_value": "2.0-beta7"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}, {"description": [{"lang": "eng", "value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}]}, "references": {"reference_data": [{"name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"}, {"name": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143", "refsource": "MISC", "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"}, {"name": "https://issues.apache.org/jira/browse/LOG4J2-3293", "refsource": "MISC", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"}, {"name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"}, {"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"}, {"name": "FEDORA-2021-c6f471ce0f", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"}, {"name": "FEDORA-2021-1bd9151bab", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "https://security.netapp.com/advisory/ntap-20220104-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}, "source": {"defect": ["LOG4J2-3293", ""], "discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2021-12-27T00:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2021-12-27T00:00:00.000Z", "value": "patch proposed, 2.17.1-rc1"}, {"lang": "en", "time": "2021-12-28T00:00:00.000Z", "value": "fixed"}, {"lang": "en", "time": "2021-12-28T00:00:00.000Z", "value": "public"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:32:13.076Z"}, "title": "CVE Program Container", "references": [{"name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"}, {"name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"}, {"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"}, {"name": "FEDORA-2021-c6f471ce0f", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"}, {"name": "FEDORA-2021-1bd9151bab", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-05-29T18:53:35.535632Z", "id": "CVE-2021-44832", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-29T18:53:46.103Z"}}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-44832", "datePublished": "2021-12-28T19:35:11.000Z", "dateReserved": "2021-12-11T00:00:00.000Z", "dateUpdated": "2026-05-29T18:53:46.103Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"]}, {"url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://issues.apache.org/jira/browse/LOG4J2-3293", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/28/1", "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html", "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/", "name": "FEDORA-2021-c6f471ce0f", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/", "name": "FEDORA-2021-1bd9151bab", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20220104-0001/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:32:13.076Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-44832", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-29T18:53:35.535632Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-29T18:53:17.608Z"}}], "cna": {"title": "Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration", "source": {"defect": ["LOG4J2-3293", ""], "discovery": "UNKNOWN"}, "metrics": [{"other": {"type": "unknown", "content": {"other": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Log4j2", "versions": [{"status": "affected", "changes": [{"at": "2.13.0", "status": "affected"}, {"at": "2.12.4", "status": "unaffected"}, {"at": "2.4", "status": "affected"}, {"at": "2.3.2", "status": "unaffected"}, {"at": "2.0-beta7", "status": "affected"}], "version": "log4j-core", "lessThan": "2.17.1", "versionType": "custom"}]}], "timeline": [{"lang": "en", "time": "2021-12-27T00:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2021-12-27T00:00:00.000Z", "value": "patch proposed, 2.17.1-rc1"}, {"lang": "en", "time": "2021-12-28T00:00:00.000Z", "value": "fixed"}, {"lang": "en", "time": "2021-12-28T00:00:00.000Z", "value": "public"}], "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "tags": ["vendor-advisory", "x_refsource_CISCO"]}, {"url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143", "tags": ["x_refsource_MISC"]}, {"url": "https://issues.apache.org/jira/browse/LOG4J2-3293", "tags": ["x_refsource_MISC"]}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/28/1", "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html", "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/", "name": "FEDORA-2021-c6f471ce0f", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/", "name": "FEDORA-2021-1bd9151bab", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20220104-0001/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-07-25T16:41:33.000Z"}, "x_legacyV4Record": {"impact": [{"other": "moderate"}], "source": {"defect": ["LOG4J2-3293", ""], "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "log4j-core", "version_value": "2.17.1", "version_affected": "<"}, {"version_name": "log4j-core", "version_value": "2.13.0", "version_affected": ">="}, {"version_name": "log4j-core", "version_value": "2.12.4", "version_affected": "<"}, {"version_name": "log4j-core", "version_value": "2.4", "version_affected": ">="}, {"version_name": "log4j-core", "version_value": "2.3.2", "version_affected": "<"}, {"version_name": "log4j-core", "version_value": "2.0-beta7", "version_affected": ">="}]}, "product_name": "Apache Log4j2"}]}, "vendor_name": "Apache Software Foundation"}]}}, "timeline": [{"lang": "en", "time": "2021-12-27T00:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2021-12-27T00:00:00.000Z", "value": "patch proposed, 2.17.1-rc1"}, {"lang": "en", "time": "2021-12-28T00:00:00.000Z", "value": "fixed"}, {"lang": "en", "time": "2021-12-28T00:00:00.000Z", "value": "public"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "refsource": "CISCO"}, {"url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143", "name": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143", "refsource": "MISC"}, {"url": "https://issues.apache.org/jira/browse/LOG4J2-3293", "name": "https://issues.apache.org/jira/browse/LOG4J2-3293", "refsource": "MISC"}, {"url": "http://www.openwall.com/lists/oss-security/2021/12/28/1", "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration", "refsource": "MLIST"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html", "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update", "refsource": "MLIST"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf", "refsource": "CONFIRM"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/", "name": "FEDORA-2021-c6f471ce0f", "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/", "name": "FEDORA-2021-1bd9151bab", "refsource": "FEDORA"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC"}, {"url": "https://security.netapp.com/advisory/ntap-20220104-0001/", "name": "https://security.netapp.com/advisory/ntap-20220104-0001/", "refsource": "CONFIRM"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}, {"description": [{"lang": "eng", "value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-44832", "STATE": "PUBLIC", "TITLE": "Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration", "ASSIGNER": "security@apache.org"}}}}, "cveMetadata": {"cveId": "CVE-2021-44832", "state": "PUBLISHED", "dateUpdated": "2026-05-29T18:53:46.103Z", "dateReserved": "2021-12-11T00:00:00.000Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2021-12-28T19:35:11.000Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5737813-009A-4FDD-AC84-42E871EA1676", "versionEndExcluding": "2.3.2", "versionStartIncluding": "2.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D1858C4-53AC-4528-B86F-0AB83777B4F4", "versionEndExcluding": "2.12.4", "versionStartIncluding": "2.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", "matchCriteriaId": "D127EBB0-E86F-4349-96E5-19BD198E0CCA", "versionEndExcluding": "2.17.1", "versionStartIncluding": "2.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*", "matchCriteriaId": "17854E42-7063-4A55-BF2A-4C7074CC2D60", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:2.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "F9D58C21-34AE-4782-8580-816B2F6A8F9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:2.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "DCFCBA59-E0DF-46FD-8431-C1043E7AB4EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*", "matchCriteriaId": "53F32FB2-6970-4975-8BD0-EAE12E9AD03A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "B773ED91-1D39-42E6-9C52-D02210DE1A94", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "EF24312D-1A62-482E-8078-7EC24758B710", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", "matchCriteriaId": "83F42D52-1E43-44E0-8B53-A2A918BDDEC3", "versionEndIncluding": "8.5.1.0", "versionStartIncluding": "8.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*", "matchCriteriaId": "46E23F2E-6733-45AF-9BD9-1A600BD278C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*", "matchCriteriaId": "E812639B-EE28-4C68-9F6F-70C8BF981C86", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48", "versionEndIncluding": "17.12.11", "versionStartIncluding": "17.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "A621A5AE-6974-4BA5-B1AC-7130A46F68F5", "versionEndIncluding": "18.8.13", "versionStartIncluding": "18.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "4096281D-2EBA-490D-8180-3C9D05EB890A", "versionEndIncluding": "19.12.12", "versionStartIncluding": "19.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6B70E72-B9FC-4E49-8EDD-29C7E14F5792", "versionEndIncluding": "20.12.7", "versionStartIncluding": "20.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "15F45363-236B-4040-8AE4-C6C0E204EDBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "A66F0C7C-4310-489F-8E91-4171D17DB32F", "versionEndIncluding": "19.12.18.0", "versionStartIncluding": "19.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "651104CE-0569-4E6D-ACAB-AD2AC85084DD", "versionEndIncluding": "20.12.12.0", "versionStartIncluding": "20.12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "45D89239-9142-46BD-846D-76A5A74A67B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", "matchCriteriaId": "10864586-270E-4ACF-BDCC-ECFCD299305F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", "matchCriteriaId": "38340E3C-C452-4370-86D4-355B6B4E0A06", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", "matchCriteriaId": "E9C55C69-E22E-4B80-9371-5CD821D79FE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "48C9BD8E-7214-4B44-B549-6F11B3EA8A04", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_fiscal_management:14.2:*:*:*:*:*:*:*", "matchCriteriaId": "A5F6FD19-A314-4A1F-96CB-6DB1CED79430", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:siebel_ui_framework:21.12:*:*:*:*:*:*:*", "matchCriteriaId": "8D62731F-3290-4383-A4F6-5274B4D63B1D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:cloudcenter:4.10.0.16:*:*:*:*:*:*:*", "matchCriteriaId": "66AB39B2-0CE1-4C7E-9E7B-B288A080D584", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "6894D860-000E-439D-8AB7-07E9B2ACC31B", "versionEndExcluding": "12.0.0.4.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "FD66C717-85E0-40E7-A51F-549C8196D557", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9550113-7423-48D8-A1C7-95D6AEE9B33C", "versionEndIncluding": "8.5.1.0", "versionStartIncluding": "8.3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*", "matchCriteriaId": "46E23F2E-6733-45AF-9BD9-1A600BD278C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*", "matchCriteriaId": "E812639B-EE28-4C68-9F6F-70C8BF981C86", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "61A2E42A-4EF2-437D-A0EC-4A6A4F1EBD11", "versionEndExcluding": "12.0.0.4.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "5933FEA2-B79E-4EE7-B821-54D676B45734", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1B74B912-152D-4F38-9FC1-741D6D0B27FC", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "E6C9A32B-B776-4704-818D-977B4B20D677", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "6989178B-A3D5-4441-A56C-6C639D4759DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.1.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "F5049591-AA1B-4D64-A925-40D0724074D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*", "matchCriteriaId": "F47057A9-2DDE-4178-B140-F7D70EAED8F6", "versionEndIncluding": "12.2.24", "versionStartIncluding": "12.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:*", "matchCriteriaId": "9132D7F2-43B3-4595-B8BF-C9DE897087F6", "versionEndIncluding": "12.2.24", "versionStartIncluding": "12.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48", "versionEndIncluding": "17.12.11", "versionStartIncluding": "17.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "A621A5AE-6974-4BA5-B1AC-7130A46F68F5", "versionEndIncluding": "18.8.13", "versionStartIncluding": "18.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "4096281D-2EBA-490D-8180-3C9D05EB890A", "versionEndIncluding": "19.12.12", "versionStartIncluding": "19.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6B70E72-B9FC-4E49-8EDD-29C7E14F5792", "versionEndIncluding": "20.12.7", "versionStartIncluding": "20.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "15F45363-236B-4040-8AE4-C6C0E204EDBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD0DEC50-F4CD-4ACA-A118-D4F0D4F4C981", "versionEndIncluding": "19.12.18.0", "versionStartIncluding": "19.12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "651104CE-0569-4E6D-ACAB-AD2AC85084DD", "versionEndIncluding": "20.12.12.0", "versionStartIncluding": "20.12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "45D89239-9142-46BD-846D-76A5A74A67B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", "matchCriteriaId": "10864586-270E-4ACF-BDCC-ECFCD299305F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", "matchCriteriaId": "38340E3C-C452-4370-86D4-355B6B4E0A06", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", "matchCriteriaId": "E9C55C69-E22E-4B80-9371-5CD821D79FE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "7F978162-CB2C-4166-947A-9048C6E878BC", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*", "matchCriteriaId": "0783F0D1-8FAC-4BCA-A6F5-C5C60E86D56D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*", "matchCriteriaId": "C7BD0D41-1BED-4C4F-95C8-8987C98908DA", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "DEC41EB8-73B4-4BDF-9321-F34EC0BAF9E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "48EFC111-B01B-4C34-87E4-D6B2C40C0122", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "073FEA23-E46A-4C73-9D29-95CFF4F5A59D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "A69FB468-EAF3-4E67-95E7-DF92C281C1F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "0ABA57AC-4BBF-4E4F-9F7E-D42472C36EEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "889916ED-5EB2-49D6-8400-E6DBBD6C287F", "versionEndIncluding": "21.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."}, {"lang": "es", "value": "Las versiones de Apache Log4j2 de la 2.0-beta7 a la 2.17.0 (excluyendo las versiones de correcci\u00f3n de seguridad 2.3.2 y 2.12.4) son vulnerables a un ataque de ejecuci\u00f3n remota de c\u00f3digo (RCE) cuando una configuraci\u00f3n utiliza un JDBC Appender con un URI de origen de datos JNDI LDAP cuando un atacante tiene el control del servidor LDAP de destino. Este problema se soluciona limitando los nombres de fuentes de datos JNDI al protocolo java en las versiones 2.17.1, 2.12.4 y 2.3.2 de Log4j2"}], "id": "CVE-2021-44832", "lastModified": "2026-05-29T20:16:21.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-12-28T20:15:08.400", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"}, {"source": "security@apache.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-74"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1299", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "impact": "low", "package": "log4j-core", "product_name": "EAP 7.4.4 release", "release_date": "2022-04-11T00:00:00Z"}, {"advisory": "RHSA-2022:0216", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "impact": "low", "package": "log4j-core", "product_name": "EAP 7.4 log4j async", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0225", "cpe": "cpe:/a:redhat:logging:5.0::el8", "package": "openshift-logging/elasticsearch6-rhel8:v5.0.12-1", "product_name": "OpenShift Logging 5.0", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0226", "cpe": "cpe:/a:redhat:logging:5.1::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-98", "product_name": "OpenShift Logging 5.1", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0230", "cpe": "cpe:/a:redhat:logging:5.2::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-100", "product_name": "OpenShift Logging 5.2", "release_date": "2022-01-21T00:00:00Z"}, {"advisory": "RHSA-2022:0227", "cpe": "cpe:/a:redhat:logging:5.3::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-99", "product_name": "OpenShift Logging 5.3", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0467", "cpe": "cpe:/a:redhat:amq_streams:1", "product_name": "Red Hat AMQ Streams 1.6.7", "release_date": "2022-02-08T00:00:00Z"}, {"advisory": "RHSA-2022:0138", "cpe": "cpe:/a:redhat:amq_streams:2", "package": "log4j-core", "product_name": "Red Hat AMQ Streams 2.0.0", "release_date": "2022-01-13T00:00:00Z"}, {"advisory": "RHSA-2022:0205", "cpe": "cpe:/a:redhat:jboss_data_grid:8.2", "package": "log4j-core", "product_name": "Red Hat Data Grid 8.2.3", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0203", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "log4j-core", "product_name": "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0222", "cpe": "cpe:/a:redhat:camel_quarkus:2.2", "package": "log4j-core", "product_name": "Red Hat Integration Camel Extensions for Quarkus 2.2", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:0223", "cpe": "cpe:/a:redhat:integration:1", "package": "log4j-core", "product_name": "Red Hat Integration Camel-K 1.6.3", "release_date": "2022-01-20T00:00:00Z"}, {"advisory": "RHSA-2022:1297", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "impact": "low", "package": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2022-04-11T00:00:00Z"}, {"advisory": "RHSA-2022:1296", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "impact": "low", "package": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2022-04-11T00:00:00Z"}, {"advisory": "RHSA-2022:0236", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-logging-elasticsearch5:v3.11.570-2.ge84e80c", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2022-01-25T00:00:00Z"}, {"advisory": "RHSA-2022:0181", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "openshift4/ose-logging-elasticsearch6:v4.6.0-202201181437.p0.g181b827.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2022-01-27T00:00:00Z"}, {"advisory": "RHSA-2022:0493", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-metering-hive:v4.7.0-202201271626.p0.g12e974d.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2022:0493", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-metering-presto:v4.7.0-202201271626.p0.g2155d34.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2022:0485", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "openshift4/ose-metering-hive:v4.8.0-202201271626.p0.g8fb24af.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2022:0485", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "openshift4/ose-metering-presto:v4.8.0-202201271626.p0.gf1abc62.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2022:0083", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "log4j-core", "product_name": "Vert.x 4.1.8", "release_date": "2022-01-20T00:00:00Z"}], "bugzilla": {"description": "log4j-core: remote code execution via JDBC Appender", "id": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."], "mitigation": {"lang": "en:us", "value": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability."}, "name": "CVE-2021-44832", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Affected", "package_name": "log4j-core", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "parfait:0.5/log4j12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-hadoop", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "impact": "low", "package_name": "log4j-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "log4j-over-slf4j", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "log4j-core", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-java-common-log4j", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-maven35-log4j12", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-maven36-log4j12", "product_name": "Red Hat Software Collections"}], "public_date": "2021-12-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-44832\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44832\nhttps://issues.apache.org/jira/browse/LOG4J2-3293"], "statement": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "threat_severity": "Moderate"}