Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Published

2021-12-28T20:15:08.400

Last Modified

2024-11-21T06:31:34.783

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.6 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:C/I:C/A:C

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: SINGLE
  • Confidentiality Impact: COMPLETE
  • Integrity Impact: COMPLETE
  • Availability Impact: COMPLETE
Exploitability Score

6.8

Impact Score

10.0

Weaknesses
  • Type: Secondary
    CWE-20
    CWE-74
  • Type: Primary
    CWE-20
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache log4j < 2.3.2 Yes
Application apache log4j < 2.12.4 Yes
Application apache log4j < 2.17.1 Yes
Application apache log4j 2.0 Yes
Application apache log4j 2.0 Yes
Application apache log4j 2.0 Yes
Application apache log4j 2.0 Yes
Application apache log4j 2.0 Yes
Application apache log4j 2.0 Yes
Application oracle communications_diameter_signaling_router ≤ 8.5.1.0 Yes
Application oracle communications_interactive_session_recorder 6.3 Yes
Application oracle communications_interactive_session_recorder 6.4 Yes
Application oracle primavera_gateway ≤ 17.12.11 Yes
Application oracle primavera_gateway ≤ 18.8.13 Yes
Application oracle primavera_gateway ≤ 19.12.12 Yes
Application oracle primavera_gateway ≤ 20.12.7 Yes
Application oracle primavera_gateway 21.12.0 Yes
Application oracle primavera_p6_enterprise_project_portfolio_management ≤ 19.12.18.0 Yes
Application oracle primavera_p6_enterprise_project_portfolio_management ≤ 20.12.12.0 Yes
Application oracle primavera_p6_enterprise_project_portfolio_management 21.12.0.0 Yes
Application oracle primavera_unifier 18.8 Yes
Application oracle primavera_unifier 19.12 Yes
Application oracle primavera_unifier 20.12 Yes
Application oracle primavera_unifier 21.12 Yes
Application oracle retail_assortment_planning 16.0.3 Yes
Application oracle retail_fiscal_management 14.2 Yes
Application oracle siebel_ui_framework 21.12 Yes
Application oracle weblogic_server 12.2.1.3.0 Yes
Application oracle weblogic_server 12.2.1.4.0 Yes
Application oracle weblogic_server 14.1.1.0.0 Yes
Application cisco cloudcenter 4.10.0.16 Yes
Operating System fedoraproject fedora 34 Yes
Operating System fedoraproject fedora 35 Yes
Operating System debian debian_linux 9.0 Yes
Application oracle communications_brm_-_elastic_charging_engine < 12.0.0.4.6 Yes
Application oracle communications_brm_-_elastic_charging_engine 12.0.0.5.0 Yes
Application oracle communications_diameter_signaling_router ≤ 8.5.1.0 Yes
Application oracle communications_interactive_session_recorder 6.3 Yes
Application oracle communications_interactive_session_recorder 6.4 Yes
Application oracle communications_offline_mediation_controller < 12.0.0.4.4 Yes
Application oracle communications_offline_mediation_controller 12.0.0.5.0 Yes
Application oracle flexcube_private_banking 12.1.0 Yes
Application oracle health_sciences_data_management_workbench 2.5.2.1 Yes
Application oracle health_sciences_data_management_workbench 3.0.0.0 Yes
Application oracle health_sciences_data_management_workbench 3.1.0.3 Yes
Application oracle policy_automation ≤ 12.2.24 Yes
Application oracle policy_automation_for_mobile_devices ≤ 12.2.24 Yes
Application oracle primavera_gateway ≤ 17.12.11 Yes
Application oracle primavera_gateway ≤ 18.8.13 Yes
Application oracle primavera_gateway ≤ 19.12.12 Yes
Application oracle primavera_gateway ≤ 20.12.7 Yes
Application oracle primavera_gateway 21.12.0 Yes
Application oracle primavera_p6_enterprise_project_portfolio_management ≤ 19.12.18.0 Yes
Application oracle primavera_p6_enterprise_project_portfolio_management ≤ 20.12.12.0 Yes
Application oracle primavera_p6_enterprise_project_portfolio_management 21.12.0.0 Yes
Application oracle primavera_unifier 18.8 Yes
Application oracle primavera_unifier 19.12 Yes
Application oracle primavera_unifier 20.12 Yes
Application oracle primavera_unifier 21.12 Yes
Application oracle product_lifecycle_analytics 3.6.1 Yes
Application oracle retail_order_broker 18.0 Yes
Application oracle retail_order_broker 19.1 Yes
Application oracle retail_xstore_point_of_service 17.0.4 Yes
Application oracle retail_xstore_point_of_service 18.0.3 Yes
Application oracle retail_xstore_point_of_service 19.0.2 Yes
Application oracle retail_xstore_point_of_service 20.0.1 Yes
Application oracle retail_xstore_point_of_service 21.0.1 Yes
Application oracle siebel_ui_framework ≤ 21.12 Yes
Application oracle weblogic_server 12.2.1.3.0 Yes
Application oracle weblogic_server 12.2.1.4.0 Yes
Application oracle weblogic_server 14.1.1.0.0 Yes
References