Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2021-44832

Опубликовано: 28 дек. 2021
Источник: debian

Описание

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
apache-log4j2fixed2.17.1-1package
apache-log4j2fixed2.17.1-1~deb11u1bullseyepackage
apache-log4j2fixed2.17.1-1~deb10u1busterpackage

Примечания

  • https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832

  • https://issues.apache.org/jira/browse/LOG4J2-3293

  • https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143

  • https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16 (log4j-2.17.1-rc1)

  • Fixed in 2.17.1, 2.12.4 and 2.3.2

Связанные уязвимости

ubuntu логотип

CVE-2021-44832

CVSS3: 6.6
ubuntu
почти 4 года назад

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

redhat логотип

CVE-2021-44832

CVSS3: 6.6
redhat
почти 4 года назад

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

nvd логотип

CVE-2021-44832

CVSS3: 6.6
nvd
почти 4 года назад

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

suse-cvrf логотип

openSUSE-SU-2022:0002-1

suse-cvrf
почти 4 года назад

Security update for log4j

suse-cvrf логотип

openSUSE-SU-2021:4208-1

suse-cvrf
почти 4 года назад

Security update for log4j