CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

  • OS
    Any OS
  • Version
    Any Version
  • Type
    Any Type

11 fixes found:

    Workaround

    Update for Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)
    Published Date:Dec 28, 2021
    Updated Date:Dec 28, 2021

      Version Update

      (RHSA-2022:1296) Low: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
      Published Date:Apr 11, 2022
      Updated Date:Apr 11, 2022
      Source:RedHat7
      Affected Packages:

      eap7-wildfly-java-jdk11-7.4.4, eap7-yasson-1.0.10, eap7-wildfly-modules-7.4.4, eap7-wildfly-elytron-tool-1.15.11, eap7-jboss-server-migration-cli-1.10.0, eap7-wildfly-java-jdk8-7.4.4, eap7-wildfly-javadocs-7.4.4, eap7-activemq-artemis-service-extensions-2.16.0, eap7-narayana-restat-bridge-5.11.4, eap7-activemq-artemis-jms-client-2.16.0, eap7-infinispan-cachestore-jdbc-11.0.15, eap7-activemq-artemis-journal-2.16.0, eap7-jboss-xnio-base-3.8.6, eap7-infinispan-commons-11.0.15, eap7-infinispan-11.0.15, eap7-narayana-jbosstxbridge-5.11.4, eap7-wildfly-7.4.4, eap7-jboss-server-migration-core-1.10.0, eap7-narayana-jbossxts-5.11.4, eap7-xom-1.3.7, eap7-infinispan-hibernate-cache-v53-11.0.15, eap7-infinispan-hibernate-cache-spi-11.0.15, eap7-infinispan-component-annotations-11.0.15, eap7-narayana-jts-integration-5.11.4, eap7-narayana-compensations-5.11.4, eap7-wildfly-elytron-1.15.11, eap7-narayana-5.11.4, eap7-narayana-restat-integration-5.11.4, eap7-hibernate-entitymanager-5.3.25, eap7-activemq-artemis-server-2.16.0, eap7-wildfly-openssl-java-2.2.0, eap7-activemq-artemis-cli-2.16.0, eap7-wildfly-openssl-el7-x86_64-debuginfo-2.2.0, eap7-hibernate-envers-5.3.25, eap7-hibernate-core-5.3.25, eap7-ecj-3.26.0, eap7-activemq-artemis-hornetq-protocol-2.16.0, eap7-log4j-2.17.1, eap7-activemq-artemis-ra-2.16.0, eap7-wildfly-openssl-el7-x86_64-2.2.0, eap7-hibernate-java8-5.3.25, eap7-infinispan-client-hotrod-11.0.15, eap7-hibernate-5.3.25, eap7-wildfly-openssl-2.2.0, eap7-activemq-artemis-tools-2.16.0, eap7-jboss-server-migration-1.10.0, eap7-hal-console-3.3.9, eap7-activemq-artemis-jdbc-store-2.16.0, eap7-activemq-artemis-core-client-2.16.0, eap7-undertow-2.2.16, eap7-narayana-jts-idlj-5.11.4, eap7-infinispan-hibernate-cache-commons-11.0.15, eap7-objectweb-asm-9.1.0, eap7-narayana-restat-api-5.11.4, eap7-jboss-vfs-3.2.16, eap7-activemq-artemis-2.16.0, eap7-infinispan-core-11.0.15, eap7-narayana-restat-util-5.11.4, eap7-infinispan-cachestore-remote-11.0.15, eap7-activemq-artemis-dto-2.16.0, eap7-activemq-artemis-selector-2.16.0, eap7-activemq-artemis-hqclient-protocol-2.16.0, eap7-jbossws-cxf-5.4.4, eap7-activemq-artemis-commons-2.16.0, eap7-narayana-txframework-5.11.4, eap7-activemq-artemis-jms-server-2.16.0

      Version Update

      (RHSA-2022:1297) Low: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
      Published Date:Apr 11, 2022
      Updated Date:Apr 11, 2022
      Source:RedHat8
      Affected Packages:

      eap7-yasson-1.0.10, eap7-wildfly-elytron-tool-1.15.11, eap7-jboss-server-migration-cli-1.10.0, eap7-wildfly-modules-7.4.4, eap7-wildfly-javadocs-7.4.4, eap7-activemq-artemis-service-extensions-2.16.0, eap7-narayana-restat-bridge-5.11.4, eap7-activemq-artemis-jms-client-2.16.0, eap7-infinispan-cachestore-jdbc-11.0.15, eap7-activemq-artemis-journal-2.16.0, eap7-jboss-xnio-base-3.8.6, eap7-infinispan-commons-11.0.15, eap7-infinispan-11.0.15, eap7-narayana-jbosstxbridge-5.11.4, eap7-wildfly-7.4.4, eap7-jboss-server-migration-core-1.10.0, eap7-narayana-jbossxts-5.11.4, eap7-infinispan-hibernate-cache-v53-11.0.15, eap7-infinispan-hibernate-cache-spi-11.0.15, eap7-xom-1.3.7, eap7-wildfly-openssl-el8-x86_64-debuginfo-2.2.0, eap7-narayana-jts-integration-5.11.4, eap7-narayana-compensations-5.11.4, eap7-infinispan-component-annotations-11.0.15, eap7-wildfly-elytron-1.15.11, eap7-narayana-5.11.4, eap7-narayana-restat-integration-5.11.4, eap7-hibernate-entitymanager-5.3.25, eap7-activemq-artemis-server-2.16.0, eap7-wildfly-openssl-java-2.2.0, eap7-activemq-artemis-cli-2.16.0, eap7-hibernate-envers-5.3.25, eap7-hibernate-core-5.3.25, eap7-ecj-3.26.0, eap7-log4j-2.17.1, eap7-activemq-artemis-ra-2.16.0, eap7-activemq-artemis-hornetq-protocol-2.16.0, eap7-hibernate-java8-5.3.25, eap7-wildfly-openssl-el8-x86_64-2.2.0, eap7-infinispan-client-hotrod-11.0.15, eap7-hibernate-5.3.25, eap7-wildfly-openssl-2.2.0, eap7-activemq-artemis-tools-2.16.0, eap7-jboss-server-migration-1.10.0, eap7-hal-console-3.3.9, eap7-activemq-artemis-jdbc-store-2.16.0, eap7-activemq-artemis-core-client-2.16.0, eap7-undertow-2.2.16, eap7-narayana-jts-idlj-5.11.4, eap7-infinispan-hibernate-cache-commons-11.0.15, eap7-objectweb-asm-9.1.0, eap7-narayana-restat-api-5.11.4, eap7-jboss-vfs-3.2.16, eap7-activemq-artemis-2.16.0, eap7-infinispan-core-11.0.15, eap7-narayana-restat-util-5.11.4, eap7-infinispan-cachestore-remote-11.0.15, eap7-activemq-artemis-dto-2.16.0, eap7-activemq-artemis-selector-2.16.0, eap7-activemq-artemis-hqclient-protocol-2.16.0, eap7-jbossws-cxf-5.4.4, eap7-activemq-artemis-commons-2.16.0, eap7-narayana-txframework-5.11.4, eap7-activemq-artemis-jms-server-2.16.0

      Version Update

      Apache Log4j 2 vulnerabilities
      Published Date:Jan 11, 2022
      Updated Date:Jan 11, 2022
      Source:Ubuntu18.04
      Affected Packages:

      liblog4j2-java-2.12.4, liblog4j2-java-doc-2.12.4

      Version Update

      Apache Log4j 2 vulnerabilities
      Published Date:Jan 11, 2022
      Updated Date:Jan 11, 2022
      Source:Ubuntu21.04
      Affected Packages:

      liblog4j2-java-2.17.1

      Version Update

      Apache Log4j 2 vulnerabilities
      Published Date:Jan 11, 2022
      Updated Date:Jan 11, 2022
      Source:Ubuntu20.04
      Affected Packages:

      liblog4j2-java-2.17.1, liblog4j2-java-doc-2.17.1

      Version Update

      Apache Log4j 2 vulnerabilities
      Published Date:Jan 11, 2022
      Updated Date:Jan 11, 2022
      Source:Ubuntu21.10
      Affected Packages:

      liblog4j2-java-2.17.1

      Version Update

      [SECURITY] [DLA 2870-1] apache-log4j2 security update
      Published Date:Dec 29, 2021
      Updated Date:Dec 29, 2021
      Source:Debian9
      Affected Packages:

      apache-log4j2-2.12.4, liblog4j2-java-2.12.4