Back to search
CVE-2021-44832
Published: Dec 28, 2021
Modified: May 29, 2026
PUBLISHED
Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache Log4j2 | affected log4j-core - < 2.17.1 |
References
20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021
vendor-advisory
x_refsource_CISCO
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
x_refsource_MISC
https://issues.apache.org/jira/browse/LOG4J2-3293
x_refsource_MISC
[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update
mailing-list
x_refsource_MLIST
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
x_refsource_CONFIRM
FEDORA-2021-c6f471ce0f
vendor-advisory
x_refsource_FEDORA
FEDORA-2021-1bd9151bab
vendor-advisory
x_refsource_FEDORA
https://www.oracle.com/security-alerts/cpujan2022.html
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220104-0001/
x_refsource_CONFIRM
https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC
https://www.oracle.com/security-alerts/cpujul2022.html
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now