CVE-2021-44832: Apache log4j2 log messages substitution (CVE-2021-44228)
First published: Sun Dec 12 2021(Updated: )
Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled (CVE-2021-44228).
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-log4j | <0:2.17.1-1.redhat_00001.1.el8ea | 0:2.17.1-1.redhat_00001.1.el8ea |
| redhat/eap7-log4j | <0:2.17.1-1.redhat_00001.1.el7ea | 0:2.17.1-1.redhat_00001.1.el7ea |
| Apache Log4j | =2.0-beta9 | |
| Apache Log4j | =2.15.0 | |
| Apache Log4j | =2.17.0 | |
| Apache Log4j | =1.2.x | |
| redhat/log4j | <2.17.1 | 2.17.1 |
| redhat/log4j | <2.12.4 | 2.12.4 |
| redhat/log4j | <2.3.2 | 2.3.2 |
| Apache Log4j | >=2.0.1<2.3.2 | |
| Apache Log4j | >=2.4<2.12.4 | |
| Apache Log4j | >=2.13.0<2.17.1 | |
| Apache Log4j | =2.0 | |
| Apache Log4j | =2.0-beta7 | |
| Apache Log4j | =2.0-beta8 | |
| Apache Log4j | =2.0-beta9 | |
| Apache Log4j | =2.0-rc1 | |
| Apache Log4j | =2.0-rc2 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0.0<=8.5.1.0 | |
| Oracle Communications Interactive Session Recorder | =6.3 | |
| Oracle Communications Interactive Session Recorder | =6.4 | |
| oracle primavera gateway | >=17.12.0<=17.12.11 | |
| oracle primavera gateway | >=18.8.0<=18.8.13 | |
| oracle primavera gateway | >=19.12.0<=19.12.12 | |
| oracle primavera gateway | >=20.12.0<=20.12.7 | |
| oracle primavera gateway | =21.12.0 | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | >=19.12.0<=19.12.18.0 | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | >=20.12.0.0<=20.12.12.0 | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | =21.12.0.0 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Primavera Unifier | =21.12 | |
| Oracle Retail Assortment Planning | =16.0.3 | |
| oracle retail fiscal management | =14.2 | |
| Oracle Siebel User Interface Framework | =21.12 | |
| Oracle WebLogic Server | =12.2.1.3.0 | |
| Oracle WebLogic Server | =12.2.1.4.0 | |
| Oracle WebLogic Server | =14.1.1.0.0 | |
| cisco cloudcenter | =4.10.0.16 | |
| Fedora | =34 | |
| Fedora | =35 | |
| Debian | =9.0 | |
| oracle communications brm - elastic charging engine | <12.0.0.4.6 | |
| oracle communications brm - elastic charging engine | =12.0.0.5.0 | |
| Oracle Communications Diameter Signaling Router | >=8.3.0.0<=8.5.1.0 | |
| oracle communications offline mediation controller | <12.0.0.4.4 | |
| oracle communications offline mediation controller | =12.0.0.5.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Health Sciences Data Management Workbench | =2.5.2.1 | |
| Oracle Health Sciences Data Management Workbench | =3.0.0.0 | |
| Oracle Health Sciences Data Management Workbench | =3.1.0.3 | |
| oracle policy automation | >=12.2.0<=12.2.24 | |
| oracle policy automation for mobile devices | >=12.2.0<=12.2.24 | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | >=19.12.0.0<=19.12.18.0 | |
| oracle product lifecycle analytics | =3.6.1 | |
| Oracle Retail Order Broker | =18.0 | |
| Oracle Retail Order Broker | =19.1 | |
| Oracle Retail Xstore Office Cloud Service | =17.0.4 | |
| Oracle Retail Xstore Office Cloud Service | =18.0.3 | |
| Oracle Retail Xstore Office Cloud Service | =19.0.2 | |
| Oracle Retail Xstore Office Cloud Service | =20.0.1 | |
| Oracle Retail Xstore Office Cloud Service | =21.0.1 | |
| Oracle Siebel User Interface Framework | <=21.12 |
Remedy
As per upstream: - In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java. - Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-44832 https://nvd.nist.gov/vuln/detail/CVE-2021-44832 https://issues.apache.org/jira/browse/LOG4J2-3293
- https://bugzilla.redhat.com/show_bug.cgi?id=2035951
- https://access.redhat.com/errata/RHSA-2022:0225
- https://access.redhat.com/errata/RHSA-2022:0226
- https://access.redhat.com/errata/RHSA-2022:0230
- https://access.redhat.com/errata/RHSA-2022:0227
- https://access.redhat.com/errata/RHSA-2022:0467
- https://access.redhat.com/errata/RHSA-2022:0205
- https://access.redhat.com/errata/RHSA-2022:0223
- https://access.redhat.com/errata/RHSA-2022:0222
- https://access.redhat.com/errata/RHSA-2022:0138
- https://access.redhat.com/errata/RHSA-2022:0216
- https://access.redhat.com/errata/RHSA-2022:1299
- https://access.redhat.com/errata/RHSA-2022:1297
- https://access.redhat.com/errata/RHSA-2022:1296
- https://access.redhat.com/errata/RHSA-2022:0203
- https://access.redhat.com/errata/RHSA-2022:0236
- https://access.redhat.com/errata/RHSA-2022:0181
- https://access.redhat.com/errata/RHSA-2022:0493
- https://access.redhat.com/errata/RHSA-2022:0485
- https://access.redhat.com/errata/RHSA-2022:0083
- https://access.redhat.com/security/cve/cve-2021-44832
- https://issues.apache.org/jira/browse/LOG4J2-3293
- https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
- https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2036026
- http://www.openwall.com/lists/oss-security/2021/12/28/1
- https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
- https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
- https://security.netapp.com/advisory/ntap-20220104-0001/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/216189
- https://www.ibm.com/support/pages/node/6557106 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
- https://www.fortiguard.com/psirt/cvrf/FG-IR-21-245
- https://www.fortiguard.com/psirt/FG-IR-21-245
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is CVE-2021-44832?
CVE-2021-44832 is a vulnerability in Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) that allows a remote code execution (RCE) attack.
How severe is CVE-2021-44832?
CVE-2021-44832 has a severity rating of medium (6.6).
Which software versions of Apache Log4j2 are affected by CVE-2021-44832?
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are affected by CVE-2021-44832.
How can I fix CVE-2021-44832?
To fix CVE-2021-44832, upgrade to version 2.17.1 of Apache Log4j2.
What is the CWE category of CVE-2021-44832?
CVE-2021-44832 falls under CWE category 20.
- collector/redhat-cve
- zeroday/true
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-44832
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- collector/fortiguard-psirt
- source/FortiGuard
- alias/CVE-2021-44228
- alias/CVE-2021-45105
- agent/severity
- agent/references
- agent/title
- agent/first-publish-date
- agent/description
- agent/trending
- agent/source
- agent/event
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- vendor/apache
- canonical/apache log4j
- version/apache log4j/2.0-beta9
- version/apache log4j/2.15.0
- version/apache log4j/2.17.0
- version/apache log4j/1.2.x
- version/apache log4j/2.0.1
- version/apache log4j/2.4
- version/apache log4j/2.13.0
- version/apache log4j/2.0
- version/apache log4j/2.0-beta7
- version/apache log4j/2.0-beta8
- version/apache log4j/2.0-rc1
- version/apache log4j/2.0-rc2
- vendor/oracle
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0.0
- version/oracle communications diameter signaling router/8.5.1.0
- canonical/oracle communications interactive session recorder
- version/oracle communications interactive session recorder/6.3
- version/oracle communications interactive session recorder/6.4
- canonical/oracle primavera gateway
- version/oracle primavera gateway/17.12.0
- version/oracle primavera gateway/17.12.11
- version/oracle primavera gateway/18.8.0
- version/oracle primavera gateway/18.8.13
- version/oracle primavera gateway/19.12.0
- version/oracle primavera gateway/19.12.12
- version/oracle primavera gateway/20.12.0
- version/oracle primavera gateway/20.12.7
- version/oracle primavera gateway/21.12.0
- canonical/oracle primavera p6 enterprise project portfolio management
- version/oracle primavera p6 enterprise project portfolio management/19.12.0
- version/oracle primavera p6 enterprise project portfolio management/19.12.18.0
- version/oracle primavera p6 enterprise project portfolio management/20.12.0.0
- version/oracle primavera p6 enterprise project portfolio management/20.12.12.0
- version/oracle primavera p6 enterprise project portfolio management/21.12.0.0
- canonical/oracle primavera unifier
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- version/oracle primavera unifier/21.12
- canonical/oracle retail assortment planning
- version/oracle retail assortment planning/16.0.3
- canonical/oracle retail fiscal management
- version/oracle retail fiscal management/14.2
- canonical/oracle siebel user interface framework
- version/oracle siebel user interface framework/21.12
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.3.0
- version/oracle weblogic server/12.2.1.4.0
- version/oracle weblogic server/14.1.1.0.0
- vendor/cisco
- canonical/cisco cloudcenter
- version/cisco cloudcenter/4.10.0.16
- vendor/fedoraproject
- canonical/fedora
- version/fedora/34
- version/fedora/35
- vendor/debian
- canonical/debian
- version/debian/9.0
- canonical/oracle communications brm - elastic charging engine
- version/oracle communications brm - elastic charging engine/12.0.0.5.0
- version/oracle communications diameter signaling router/8.3.0.0
- canonical/oracle communications offline mediation controller
- version/oracle communications offline mediation controller/12.0.0.5.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.1.0
- canonical/oracle health sciences data management workbench
- version/oracle health sciences data management workbench/2.5.2.1
- version/oracle health sciences data management workbench/3.0.0.0
- version/oracle health sciences data management workbench/3.1.0.3
- canonical/oracle policy automation
- version/oracle policy automation/12.2.0
- version/oracle policy automation/12.2.24
- canonical/oracle policy automation for mobile devices
- version/oracle policy automation for mobile devices/12.2.0
- version/oracle policy automation for mobile devices/12.2.24
- version/oracle primavera p6 enterprise project portfolio management/19.12.0.0
- canonical/oracle product lifecycle analytics
- version/oracle product lifecycle analytics/3.6.1
- canonical/oracle retail order broker
- version/oracle retail order broker/18.0
- version/oracle retail order broker/19.1
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/17.0.4
- version/oracle retail xstore office cloud service/18.0.3
- version/oracle retail xstore office cloud service/19.0.2
- version/oracle retail xstore office cloud service/20.0.1
- version/oracle retail xstore office cloud service/21.0.1