CVE-2021-44832

CVSS6.6Medium severity
Published: 12/28/2021
CWE: 74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'))
NVD

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

OS
Any OS
Version
Any Version
Type
Any Type

11 fixes found:

Workaround
Update for Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)
Published Date:Dec 28, 2021
Updated Date:Dec 28, 2021
Version Update
(RHSA-2022:1296) Low: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
Published Date:Apr 11, 2022
Updated Date:Apr 11, 2022
Source:RedHat7
Affected Packages:
eap7-activemq-artemis-journal-2.16.0, eap7-infinispan-hibernate-cache-spi-11.0.15, eap7-infinispan-core-11.0.15, eap7-jboss-xnio-base-3.8.6, eap7-infinispan-component-annotations-11.0.15, eap7-hal-console-3.3.9, eap7-wildfly-elytron-tool-1.15.11, eap7-activemq-artemis-cli-2.16.0, eap7-hibernate-core-5.3.25, eap7-activemq-artemis-jms-server-2.16.0, eap7-infinispan-cachestore-remote-11.0.15, eap7-activemq-artemis-tools-2.16.0, eap7-wildfly-openssl-el7-x86_64-2.2.0, eap7-narayana-compensations-5.11.4, eap7-hibernate-entitymanager-5.3.25, eap7-narayana-restat-util-5.11.4, eap7-activemq-artemis-ra-2.16.0, eap7-undertow-2.2.16, eap7-narayana-jbossxts-5.11.4, eap7-activemq-artemis-jms-client-2.16.0, eap7-wildfly-openssl-2.2.0, eap7-narayana-txframework-5.11.4, eap7-jboss-vfs-3.2.16, eap7-infinispan-11.0.15, eap7-narayana-jbosstxbridge-5.11.4, eap7-log4j-2.17.1, eap7-infinispan-cachestore-jdbc-11.0.15, eap7-activemq-artemis-2.16.0, eap7-hibernate-5.3.25, eap7-activemq-artemis-server-2.16.0, eap7-narayana-restat-bridge-5.11.4, eap7-hibernate-envers-5.3.25, eap7-jboss-server-migration-core-1.10.0, eap7-activemq-artemis-core-client-2.16.0, eap7-activemq-artemis-commons-2.16.0, eap7-infinispan-commons-11.0.15, eap7-jboss-server-migration-1.10.0, eap7-activemq-artemis-hqclient-protocol-2.16.0, eap7-activemq-artemis-hornetq-protocol-2.16.0, eap7-narayana-5.11.4, eap7-activemq-artemis-jdbc-store-2.16.0, eap7-ecj-3.26.0, eap7-wildfly-java-jdk11-7.4.4, eap7-wildfly-java-jdk8-7.4.4, eap7-activemq-artemis-selector-2.16.0, eap7-infinispan-hibernate-cache-commons-11.0.15, eap7-activemq-artemis-service-extensions-2.16.0, eap7-activemq-artemis-dto-2.16.0, eap7-narayana-jts-idlj-5.11.4, eap7-infinispan-hibernate-cache-v53-11.0.15, eap7-xom-1.3.7, eap7-wildfly-openssl-el7-x86_64-debuginfo-2.2.0, eap7-narayana-restat-api-5.11.4, eap7-wildfly-elytron-1.15.11, eap7-jboss-server-migration-cli-1.10.0, eap7-hibernate-java8-5.3.25, eap7-jbossws-cxf-5.4.4, eap7-wildfly-7.4.4, eap7-yasson-1.0.10, eap7-objectweb-asm-9.1.0, eap7-wildfly-modules-7.4.4, eap7-wildfly-openssl-java-2.2.0, eap7-narayana-restat-integration-5.11.4, eap7-narayana-jts-integration-5.11.4, eap7-wildfly-javadocs-7.4.4, eap7-infinispan-client-hotrod-11.0.15
Version Update
(RHSA-2022:1297) Low: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
Published Date:Apr 11, 2022
Updated Date:Apr 11, 2022
Source:RedHat8
Affected Packages:
eap7-activemq-artemis-journal-2.16.0, eap7-infinispan-hibernate-cache-spi-11.0.15, eap7-infinispan-core-11.0.15, eap7-jboss-xnio-base-3.8.6, eap7-infinispan-component-annotations-11.0.15, eap7-hal-console-3.3.9, eap7-wildfly-elytron-tool-1.15.11, eap7-activemq-artemis-cli-2.16.0, eap7-hibernate-core-5.3.25, eap7-activemq-artemis-jms-server-2.16.0, eap7-infinispan-cachestore-remote-11.0.15, eap7-activemq-artemis-tools-2.16.0, eap7-wildfly-openssl-el8-x86_64-2.2.0, eap7-narayana-compensations-5.11.4, eap7-hibernate-entitymanager-5.3.25, eap7-activemq-artemis-ra-2.16.0, eap7-narayana-restat-util-5.11.4, eap7-narayana-jbossxts-5.11.4, eap7-activemq-artemis-commons-2.16.0, eap7-activemq-artemis-jms-client-2.16.0, eap7-jboss-vfs-3.2.16, eap7-wildfly-openssl-2.2.0, eap7-narayana-txframework-5.11.4, eap7-infinispan-11.0.15, eap7-narayana-jbosstxbridge-5.11.4, eap7-undertow-2.2.16, eap7-log4j-2.17.1, eap7-infinispan-cachestore-jdbc-11.0.15, eap7-wildfly-javadocs-7.4.4, eap7-activemq-artemis-2.16.0, eap7-hibernate-5.3.25, eap7-activemq-artemis-server-2.16.0, eap7-narayana-restat-bridge-5.11.4, eap7-hibernate-envers-5.3.25, eap7-jboss-server-migration-core-1.10.0, eap7-activemq-artemis-core-client-2.16.0, eap7-infinispan-commons-11.0.15, eap7-jboss-server-migration-1.10.0, eap7-activemq-artemis-hqclient-protocol-2.16.0, eap7-activemq-artemis-hornetq-protocol-2.16.0, eap7-narayana-5.11.4, eap7-activemq-artemis-jdbc-store-2.16.0, eap7-ecj-3.26.0, eap7-wildfly-openssl-el8-x86_64-debuginfo-2.2.0, eap7-activemq-artemis-selector-2.16.0, eap7-infinispan-hibernate-cache-commons-11.0.15, eap7-activemq-artemis-service-extensions-2.16.0, eap7-activemq-artemis-dto-2.16.0, eap7-infinispan-hibernate-cache-v53-11.0.15, eap7-xom-1.3.7, eap7-narayana-restat-api-5.11.4, eap7-wildfly-elytron-1.15.11, eap7-jboss-server-migration-cli-1.10.0, eap7-hibernate-java8-5.3.25, eap7-wildfly-7.4.4, eap7-jbossws-cxf-5.4.4, eap7-yasson-1.0.10, eap7-objectweb-asm-9.1.0, eap7-wildfly-openssl-java-2.2.0, eap7-wildfly-modules-7.4.4, eap7-narayana-restat-integration-5.11.4, eap7-narayana-jts-integration-5.11.4, eap7-narayana-jts-idlj-5.11.4, eap7-infinispan-client-hotrod-11.0.15
Version Update
Apache Log4j 2 vulnerabilities
Published Date:Jan 11, 2022
Updated Date:Jan 11, 2022
Source:Ubuntu21.10
Affected Packages:
liblog4j2-java-2.17.1
Version Update
Apache Log4j 2 vulnerabilities
Published Date:Jan 11, 2022
Updated Date:Jan 11, 2022
Source:Ubuntu20.04
Affected Packages:
liblog4j2-java-doc-2.17.1, liblog4j2-java-2.17.1
Version Update
Apache Log4j 2 vulnerabilities
Published Date:Jan 11, 2022
Updated Date:Jan 11, 2022
Source:Ubuntu18.04
Affected Packages:
liblog4j2-java-doc-2.12.4, liblog4j2-java-2.12.4
Version Update
Apache Log4j 2 vulnerabilities
Published Date:Jan 11, 2022
Updated Date:Jan 11, 2022
Source:Ubuntu21.04
Affected Packages:
liblog4j2-java-2.17.1
Version Update
[SECURITY] [DLA 2870-1] apache-log4j2 security update
Published Date:Dec 29, 2021
Updated Date:Dec 29, 2021
Source:Debian9
Affected Packages:
apache-log4j2-2.12.4, liblog4j2-java-2.12.4

CVE-2021-44832

11 fixes found:

Update for Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)

(RHSA-2022:1296) Low: Red Hat JBoss Enterprise Application Platform 7.4.4 security update

(RHSA-2022:1297) Low: Red Hat JBoss Enterprise Application Platform 7.4.4 security update

Apache Log4j 2 vulnerabilities

Apache Log4j 2 vulnerabilities

Apache Log4j 2 vulnerabilities

Apache Log4j 2 vulnerabilities

[SECURITY] [DLA 2870-1] apache-log4j2 security update