CVE-2021-44832
Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Risk Information
Base Score
6.6
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
53.591
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Apache Log4j Vulnerability (CVE-2021-44832) | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.3.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.4.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 14.1.1.0.0 | Windows |
| Vulnerabilities CVE-2021-45105,CVE-2021-44832 are fixed in IBM WebSphere 9.0.5.11 | Windows |
| Multiple vulnerabilities are fixed in IBM WebSphere 8.5.5.21 | Windows |
| Multiple Vulnerabilities are affected in IBM EntireX 11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.0.13 | Windows |
| Vulnerabilities CVE-2021-44832,CVE-2020-9488 are fixed in Apache - Log4j Core 2.3.2 | Windows |
| Vulnerabilities CVE-2021-44832 are fixed in Apache - Log4j Core 2.12.4 | Windows |
| Vulnerabilities CVE-2021-44832 are fixed in Apache - Log4j Core 2.17.1 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.58 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.59 | Windows |
| Multiple vulnerabilities are affected in Oracle Communications Order and Service Management 7.3 | Windows |
| Multiple vulnerabilities are affected in Oracle Communications Order and Service Management 7.4 | Windows |
| Vulnerabilities CVE-2021-44832,CVE-2022-23305 are fixed in Oracle Hyperion Data Relationship Management 11.2.8.0 | Windows |
| Vulnerabilities CVE-2021-44832 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 19.12.18.0 | Windows |
| Vulnerabilities CVE-2021-44832 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 20.12.12.0 | Windows |
| Vulnerabilities CVE-2021-44832 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 21.12.0.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Tivoli Monitoring 6.3.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.2 | Windows |
| Multiple Vulnerabilities are affected in IBM MQ 9.1 | Windows |
| Multiple Vulnerabilities are affected in IBM MQ 9.2 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 21.0 | Windows |
| Multiple Vulnerabilities are affected in IBM App Connect Enterprise 11.0.0.15 | Windows |
| Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.3.0 | Windows |
| Vulnerabilities CVE-2021-45105,CVE-2021-44832,CVE-2021-45046,CVE-2021-44228 are fixed in Ops4j - pax-logging-log4j2 1.9.2 | Windows |
| Vulnerabilities CVE-2021-45105,CVE-2021-44832 are fixed in Ops4j - pax-logging-log4j2 1.10.9 | Windows |
| Vulnerabilities CVE-2021-44832 are fixed in Ops4j - pax-logging-log4j2 1.11.13 | Windows |
| Vulnerabilities CVE-2021-44832 are fixed in Ops4j - pax-logging-log4j2 2.0.14 | Windows |
| Apache Log4j - Logging Framework for Java (USN-5222-1) liblog4j2-java_2.17.1-0.20.04.1_all.deb | Linux |
| Apache Log4j - Logging Framework for Java (USN-5222-1) liblog4j2-java_2.17.1-0.21.04.1_all.deb | Linux |
| Apache Log4j - Logging Framework for Java (USN-5222-1) liblog4j2-java_2.17.1-0.21.10.1_all.deb | Linux |
| Apache Log4j - Logging Framework for Java (USN-5222-1) liblog4j2-java_2.12.4-0ubuntu0.1_all.deb | Linux |
| aws-kinesis-agent Security Update (ALAS-2022-1734) aws-kinesis-agent-2.0.6-1.amzn2.noarch.rpm | Linux |
| Vulnerabilities CVE-2021-44832,CVE-2020-9488 are fixed in Apache - Log4j Core for Linux 2.3.2 | Linux |
| Vulnerabilities CVE-2021-44832 are fixed in Apache - Log4j Core for Linux 2.12.4 | Linux |
| Vulnerabilities CVE-2021-44832 are fixed in Apache - Log4j Core for Linux 2.17.1 | Linux |
| Vulnerabilities CVE-2021-45105,CVE-2021-44832,CVE-2021-45046,CVE-2021-44228 are fixed in Ops4j - pax-logging-log4j2 for Linux 1.9.2 | Linux |
| Vulnerabilities CVE-2021-45105,CVE-2021-44832 are fixed in Ops4j - pax-logging-log4j2 for Linux 1.10.9 | Linux |
| Vulnerabilities CVE-2021-44832 are fixed in Ops4j - pax-logging-log4j2 for Linux 1.11.13 | Linux |
| Vulnerabilities CVE-2021-44832 are fixed in Ops4j - pax-logging-log4j2 for Linux 2.0.14 | Linux |
| Improper Input Validation Vulnerability (CVE-2021-44832) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234