CVE-2021-44832: Input Validation
First published: Tue Dec 28 2021(Updated: )
Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-log4j | <0:2.17.1-1.redhat_00001.1.el8ea | 0:2.17.1-1.redhat_00001.1.el8ea |
| redhat/eap7-log4j | <0:2.17.1-1.redhat_00001.1.el7ea | 0:2.17.1-1.redhat_00001.1.el7ea |
| Apache Log4j | =2.0-beta9 | |
| Apache Log4j | =2.15.0 | |
| Apache Log4j | =2.17.0 | |
| Apache Log4j | =1.2.x | |
| redhat/log4j | <2.17.1 | 2.17.1 |
| redhat/log4j | <2.12.4 | 2.12.4 |
| redhat/log4j | <2.3.2 | 2.3.2 |
| Apache Log4j | >=2.0.1<2.3.2 | |
| Apache Log4j | >=2.4<2.12.4 | |
| Apache Log4j | >=2.13.0<2.17.1 | |
| Apache Log4j | =2.0 | |
| Apache Log4j | =2.0-beta7 | |
| Apache Log4j | =2.0-beta8 | |
| Apache Log4j | =2.0-beta9 | |
| Apache Log4j | =2.0-rc1 | |
| Apache Log4j | =2.0-rc2 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0.0<=8.5.1.0 | |
| Oracle Communications Interactive Session Recorder | =6.3 | |
| Oracle Communications Interactive Session Recorder | =6.4 | |
| Oracle Primavera Gateway | >=17.12.0<=17.12.11 | |
| Oracle Primavera Gateway | >=18.8.0<=18.8.13 | |
| Oracle Primavera Gateway | >=19.12.0<=19.12.12 | |
| Oracle Primavera Gateway | >=20.12.0<=20.12.7 | |
| Oracle Primavera Gateway | =21.12.0 | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | >=19.12.0<=19.12.18.0 | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | >=20.12.0.0<=20.12.12.0 | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | =21.12.0.0 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Primavera Unifier | =21.12 | |
| Oracle Retail Assortment Planning | =16.0.3 | |
| Oracle Retail Fiscal Management | =14.2 | |
| Oracle Siebel Ui Framework | =21.12 | |
| Oracle WebLogic Server | =12.2.1.3.0 | |
| Oracle WebLogic Server | =12.2.1.4.0 | |
| Oracle WebLogic Server | =14.1.1.0.0 | |
| Cisco Cloudcenter | =4.10.0.16 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Debian Debian Linux | =9.0 | |
| Oracle Communications Brm - Elastic Charging Engine | <12.0.0.4.6 | |
| Oracle Communications Brm - Elastic Charging Engine | =12.0.0.5.0 | |
| Oracle Communications Diameter Signaling Router | >=8.3.0.0<=8.5.1.0 | |
| Oracle Communications Offline Mediation Controller | <12.0.0.4.4 | |
| Oracle Communications Offline Mediation Controller | =12.0.0.5.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Health Sciences Data Management Workbench | =2.5.2.1 | |
| Oracle Health Sciences Data Management Workbench | =3.0.0.0 | |
| Oracle Health Sciences Data Management Workbench | =3.1.0.3 | |
| Oracle Policy Automation | >=12.2.0<=12.2.24 | |
| Oracle Policy Automation For Mobile Devices | >=12.2.0<=12.2.24 | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | >=19.12.0.0<=19.12.18.0 | |
| Oracle Product Lifecycle Analytics | =3.6.1 | |
| Oracle Retail Order Broker | =18.0 | |
| Oracle Retail Order Broker | =19.1 | |
| Oracle Retail Xstore Point of Service | =17.0.4 | |
| Oracle Retail Xstore Point of Service | =18.0.3 | |
| Oracle Retail Xstore Point of Service | =19.0.2 | |
| Oracle Retail Xstore Point of Service | =20.0.1 | |
| Oracle Retail Xstore Point of Service | =21.0.1 | |
| Oracle Siebel Ui Framework | <=21.12 |
Remedy
As per upstream: - In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java. - Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/216189
- https://www.ibm.com/support/pages/node/6557106 (Advisory)
- http://www.openwall.com/lists/oss-security/2021/12/28/1
- https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
- https://issues.apache.org/jira/browse/LOG4J2-3293
- https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
- https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
- https://security.netapp.com/advisory/ntap-20220104-0001/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2036026
- https://access.redhat.com/errata/RHSA-2022:0138
- https://access.redhat.com/errata/RHSA-2022:0203
- https://access.redhat.com/errata/RHSA-2022:0205
- https://access.redhat.com/errata/RHSA-2022:0083
- https://access.redhat.com/errata/RHSA-2022:0216
- https://access.redhat.com/errata/RHSA-2022:0222
- https://access.redhat.com/errata/RHSA-2022:0223
- https://access.redhat.com/errata/RHSA-2022:0225
- https://access.redhat.com/errata/RHSA-2022:0226
- https://access.redhat.com/errata/RHSA-2022:0227
- https://access.redhat.com/errata/RHSA-2022:0230
- https://access.redhat.com/security/cve/cve-2021-44832
- https://access.redhat.com/errata/RHSA-2022:0236
- https://access.redhat.com/errata/RHSA-2022:0181
- https://access.redhat.com/errata/RHSA-2022:0467
- https://access.redhat.com/errata/RHSA-2022:0493
- https://access.redhat.com/errata/RHSA-2022:0485
- https://access.redhat.com/errata/RHSA-2022:1296
- https://access.redhat.com/errata/RHSA-2022:1297
- https://access.redhat.com/errata/RHSA-2022:1299
- https://bugzilla.redhat.com/show_bug.cgi?id=2035951
- https://www.cve.org/CVERecord?id=CVE-2021-44832 https://nvd.nist.gov/vuln/detail/CVE-2021-44832 https://issues.apache.org/jira/browse/LOG4J2-3293
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is CVE-2021-44832?
CVE-2021-44832 is a vulnerability in Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) that allows a remote code execution (RCE) attack.
How severe is CVE-2021-44832?
CVE-2021-44832 has a severity rating of medium (6.6).
Which software versions of Apache Log4j2 are affected by CVE-2021-44832?
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are affected by CVE-2021-44832.
How can I fix CVE-2021-44832?
To fix CVE-2021-44832, upgrade to version 2.17.1 of Apache Log4j2.
What is the CWE category of CVE-2021-44832?
CVE-2021-44832 falls under CWE category 20.
- collector/redhat-cve
- collector/ibm-support
- zeroday/true
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-44832
- agent/software-canonical-lookup
- agent/references
- agent/author
- agent/weakness
- agent/remedy
- agent/severity
- agent/tags
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/apache
- canonical/apache log4j
- version/apache log4j/2.0-beta9
- version/apache log4j/2.15.0
- version/apache log4j/2.17.0
- version/apache log4j/1.2.x
- version/apache log4j/2.0.1
- version/apache log4j/2.4
- version/apache log4j/2.13.0
- version/apache log4j/2.0
- version/apache log4j/2.0-beta7
- version/apache log4j/2.0-beta8
- version/apache log4j/2.0-rc1
- version/apache log4j/2.0-rc2
- vendor/oracle
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0.0
- version/oracle communications diameter signaling router/8.5.1.0
- canonical/oracle communications interactive session recorder
- version/oracle communications interactive session recorder/6.3
- version/oracle communications interactive session recorder/6.4
- canonical/oracle primavera gateway
- version/oracle primavera gateway/17.12.0
- version/oracle primavera gateway/17.12.11
- version/oracle primavera gateway/18.8.0
- version/oracle primavera gateway/18.8.13
- version/oracle primavera gateway/19.12.0
- version/oracle primavera gateway/19.12.12
- version/oracle primavera gateway/20.12.0
- version/oracle primavera gateway/20.12.7
- version/oracle primavera gateway/21.12.0
- canonical/oracle primavera p6 enterprise project portfolio management
- version/oracle primavera p6 enterprise project portfolio management/19.12.0
- version/oracle primavera p6 enterprise project portfolio management/19.12.18.0
- version/oracle primavera p6 enterprise project portfolio management/20.12.0.0
- version/oracle primavera p6 enterprise project portfolio management/20.12.12.0
- version/oracle primavera p6 enterprise project portfolio management/21.12.0.0
- canonical/oracle primavera unifier
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- version/oracle primavera unifier/21.12
- canonical/oracle retail assortment planning
- version/oracle retail assortment planning/16.0.3
- canonical/oracle retail fiscal management
- version/oracle retail fiscal management/14.2
- canonical/oracle siebel ui framework
- version/oracle siebel ui framework/21.12
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.3.0
- version/oracle weblogic server/12.2.1.4.0
- version/oracle weblogic server/14.1.1.0.0
- vendor/cisco
- canonical/cisco cloudcenter
- version/cisco cloudcenter/4.10.0.16
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- canonical/oracle communications brm - elastic charging engine
- version/oracle communications brm - elastic charging engine/12.0.0.5.0
- version/oracle communications diameter signaling router/8.3.0.0
- canonical/oracle communications offline mediation controller
- version/oracle communications offline mediation controller/12.0.0.5.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.1.0
- canonical/oracle health sciences data management workbench
- version/oracle health sciences data management workbench/2.5.2.1
- version/oracle health sciences data management workbench/3.0.0.0
- version/oracle health sciences data management workbench/3.1.0.3
- canonical/oracle policy automation
- version/oracle policy automation/12.2.0
- version/oracle policy automation/12.2.24
- canonical/oracle policy automation for mobile devices
- version/oracle policy automation for mobile devices/12.2.0
- version/oracle policy automation for mobile devices/12.2.24
- version/oracle primavera p6 enterprise project portfolio management/19.12.0.0
- canonical/oracle product lifecycle analytics
- version/oracle product lifecycle analytics/3.6.1
- canonical/oracle retail order broker
- version/oracle retail order broker/18.0
- version/oracle retail order broker/19.1
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/17.0.4
- version/oracle retail xstore point of service/18.0.3
- version/oracle retail xstore point of service/19.0.2
- version/oracle retail xstore point of service/20.0.1
- version/oracle retail xstore point of service/21.0.1