First published: Tue Dec 28 2021(Updated: )
Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/eap7-log4j | <0:2.17.1-1.redhat_00001.1.el8ea | 0:2.17.1-1.redhat_00001.1.el8ea |
redhat/eap7-log4j | <0:2.17.1-1.redhat_00001.1.el7ea | 0:2.17.1-1.redhat_00001.1.el7ea |
Apache Log4j | =2.0-beta9 | |
Apache Log4j | =2.15.0 | |
Apache Log4j | =2.17.0 | |
Apache Log4j | =1.2.x | |
redhat/log4j | <2.17.1 | 2.17.1 |
redhat/log4j | <2.12.4 | 2.12.4 |
redhat/log4j | <2.3.2 | 2.3.2 |
Apache Log4j | >=2.0.1<2.3.2 | |
Apache Log4j | >=2.4<2.12.4 | |
Apache Log4j | >=2.13.0<2.17.1 | |
Apache Log4j | =2.0 | |
Apache Log4j | =2.0-beta7 | |
Apache Log4j | =2.0-beta8 | |
Apache Log4j | =2.0-beta9 | |
Apache Log4j | =2.0-rc1 | |
Apache Log4j | =2.0-rc2 | |
Oracle Communications Diameter Signaling Router | >=8.0.0.0<=8.5.1.0 | |
Oracle Communications Interactive Session Recorder | =6.3 | |
Oracle Communications Interactive Session Recorder | =6.4 | |
Oracle Primavera Gateway | >=17.12.0<=17.12.11 | |
Oracle Primavera Gateway | >=18.8.0<=18.8.13 | |
Oracle Primavera Gateway | >=19.12.0<=19.12.12 | |
Oracle Primavera Gateway | >=20.12.0<=20.12.7 | |
Oracle Primavera Gateway | =21.12.0 | |
Oracle Primavera P6 Enterprise Project Portfolio Management | >=19.12.0<=19.12.18.0 | |
Oracle Primavera P6 Enterprise Project Portfolio Management | >=20.12.0.0<=20.12.12.0 | |
Oracle Primavera P6 Enterprise Project Portfolio Management | =21.12.0.0 | |
Oracle Primavera Unifier | =18.8 | |
Oracle Primavera Unifier | =19.12 | |
Oracle Primavera Unifier | =20.12 | |
Oracle Primavera Unifier | =21.12 | |
Oracle Retail Assortment Planning | =16.0.3 | |
Oracle Retail Fiscal Management | =14.2 | |
Oracle Siebel Ui Framework | =21.12 | |
Oracle WebLogic Server | =12.2.1.3.0 | |
Oracle WebLogic Server | =12.2.1.4.0 | |
Oracle WebLogic Server | =14.1.1.0.0 | |
Cisco Cloudcenter | =4.10.0.16 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Debian Debian Linux | =9.0 | |
Oracle Communications Brm - Elastic Charging Engine | <12.0.0.4.6 | |
Oracle Communications Brm - Elastic Charging Engine | =12.0.0.5.0 | |
Oracle Communications Diameter Signaling Router | >=8.3.0.0<=8.5.1.0 | |
Oracle Communications Offline Mediation Controller | <12.0.0.4.4 | |
Oracle Communications Offline Mediation Controller | =12.0.0.5.0 | |
Oracle FLEXCUBE Private Banking | =12.1.0 | |
Oracle Health Sciences Data Management Workbench | =2.5.2.1 | |
Oracle Health Sciences Data Management Workbench | =3.0.0.0 | |
Oracle Health Sciences Data Management Workbench | =3.1.0.3 | |
Oracle Policy Automation | >=12.2.0<=12.2.24 | |
Oracle Policy Automation For Mobile Devices | >=12.2.0<=12.2.24 | |
Oracle Primavera P6 Enterprise Project Portfolio Management | >=19.12.0.0<=19.12.18.0 | |
Oracle Product Lifecycle Analytics | =3.6.1 | |
Oracle Retail Order Broker | =18.0 | |
Oracle Retail Order Broker | =19.1 | |
Oracle Retail Xstore Point of Service | =17.0.4 | |
Oracle Retail Xstore Point of Service | =18.0.3 | |
Oracle Retail Xstore Point of Service | =19.0.2 | |
Oracle Retail Xstore Point of Service | =20.0.1 | |
Oracle Retail Xstore Point of Service | =21.0.1 | |
Oracle Siebel Ui Framework | <=21.12 |
As per upstream: - In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java. - Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2021-44832 is a vulnerability in Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) that allows a remote code execution (RCE) attack.
CVE-2021-44832 has a severity rating of medium (6.6).
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are affected by CVE-2021-44832.
To fix CVE-2021-44832, upgrade to version 2.17.1 of Apache Log4j2.
CVE-2021-44832 falls under CWE category 20.