Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2021-44832

Опубликовано: 28 дек. 2021
Источник: debian
EPSS Средний

Описание

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
apache-log4j2fixed2.17.1-1package
apache-log4j2fixed2.17.1-1~deb11u1bullseyepackage
apache-log4j2fixed2.17.1-1~deb10u1busterpackage

Примечания

  • https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832

  • https://issues.apache.org/jira/browse/LOG4J2-3293

  • https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143

  • https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16 (log4j-2.17.1-rc1)

  • Fixed in 2.17.1, 2.12.4 and 2.3.2

EPSS

Процентиль: 98%
0.47122
Средний

Связанные уязвимости

ubuntu логотип

CVE-2021-44832

CVSS3: 6.6
ubuntu
больше 3 лет назад

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

redhat логотип

CVE-2021-44832

CVSS3: 6.6
redhat
больше 3 лет назад

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

nvd логотип

CVE-2021-44832

CVSS3: 6.6
nvd
больше 3 лет назад

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

suse-cvrf логотип

openSUSE-SU-2022:0002-1

suse-cvrf
больше 3 лет назад

Security update for log4j

suse-cvrf логотип

openSUSE-SU-2021:4208-1

suse-cvrf
больше 3 лет назад

Security update for log4j

EPSS

Процентиль: 98%
0.47122
Средний