Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
History
07 Nov 2023, 03:39
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
09 Aug 2022, 01:24
Type | Values Removed | Values Added |
---|---|---|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.1.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:*:*:*:*:*:*:* |
|
First Time |
Oracle policy Automation
Oracle policy Automation For Mobile Devices Oracle retail Order Broker Oracle flexcube Private Banking Oracle retail Xstore Point Of Service Oracle communications Brm - Elastic Charging Engine Oracle health Sciences Data Management Workbench Oracle product Lifecycle Analytics Oracle communications Offline Mediation Controller |
|
CWE |
25 Jul 2022, 18:18
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Jul 2022, 18:34
Type | Values Removed | Values Added |
---|---|---|
First Time |
Oracle communications Interactive Session Recorder
Fedoraproject fedora Cisco cloudcenter Oracle primavera P6 Enterprise Project Portfolio Management Debian debian Linux Oracle primavera Gateway Oracle communications Diameter Signaling Router Fedoraproject Oracle primavera Unifier Oracle retail Fiscal Management Debian Oracle siebel Ui Framework Oracle retail Assortment Planning Cisco Oracle Oracle weblogic Server |
|
CVSS |
v2 : v3 : |
v2 : 8.5
v3 : 6.6 |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/ - Mailing List, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20220104-0001/ - Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/ - Mailing List, Third Party Advisory | |
References | (CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd - Third Party Advisory | |
CPE | cpe:2.3:a:oracle:retail_fiscal_management:14.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:cisco:cloudcenter:4.10.0.16:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:21.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* |
20 Apr 2022, 00:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Feb 2022, 16:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Jan 2022, 14:10
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Jan 2022, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
05 Jan 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Dec 2021, 16:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. |
30 Dec 2021, 01:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Dec 2021, 15:49
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143 - Mailing List, Vendor Advisory | |
References | (MISC) https://issues.apache.org/jira/browse/LOG4J2-3293 - Issue Tracking, Patch, Vendor Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2021/12/28/1 - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf - Third Party Advisory | |
CWE | CWE-20 CWE-74 |
|
CPE | cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:* cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* cpe:2.3:a:apache:log4j:2.0:beta7:*:*:*:*:*:* cpe:2.3:a:apache:log4j:2.0:beta8:*:*:*:*:*:* cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:* cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:* cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : 6.0
v3 : 6.6 |
First Time |
Apache
Apache log4j |
29 Dec 2021, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Dec 2021, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Dec 2021, 20:21
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-12-28 20:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-44832
Mitre link : CVE-2021-44832
CVE.ORG link : CVE-2021-44832
JSON object : View
Products Affected
oracle
- primavera_p6_enterprise_project_portfolio_management
- flexcube_private_banking
- weblogic_server
- communications_brm_-_elastic_charging_engine
- communications_diameter_signaling_router
- primavera_gateway
- retail_order_broker
- policy_automation_for_mobile_devices
- health_sciences_data_management_workbench
- primavera_unifier
- retail_assortment_planning
- communications_offline_mediation_controller
- product_lifecycle_analytics
- policy_automation
- retail_xstore_point_of_service
- communications_interactive_session_recorder
- siebel_ui_framework
- retail_fiscal_management
debian
- debian_linux
cisco
- cloudcenter
fedoraproject
- fedora
apache
- log4j