FG-IR-21-245: Apache log4j2 log messages substitution (CVE-2021-44228)
First published: Sun Dec 12 2021(Updated: )
Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled (CVE-2021-44228).
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Log4j | <=2.14.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of FG-IR-21-245?
The severity of FG-IR-21-245 is critical due to the potential for remote code execution.
How do I fix FG-IR-21-245?
To fix FG-IR-21-245, upgrade Apache Log4j to version 2.15.0 or later.
What products are affected by FG-IR-21-245?
FG-IR-21-245 affects Apache Log4j versions up to and including 2.14.1.
What type of vulnerability is FG-IR-21-245?
FG-IR-21-245 is a remote code execution vulnerability caused by JNDI features in Apache Log4j.
Can FG-IR-21-245 be exploited remotely?
Yes, FG-IR-21-245 can be exploited remotely if an attacker can control log messages or parameters.
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2021-44228
- agent/last-modified-date
- agent/type
- agent/first-publish-date
- collector/fortiguard-psirt
- alias/CVE-2021-44832
- alias/CVE-2021-45105
- agent/severity
- agent/references
- agent/title
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/apache log4j