Описание
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Ссылки
- Mailing ListThird Party Advisory
- Third Party Advisory
- Issue TrackingPatchVendor Advisory
- Mailing ListVendor Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- Issue TrackingPatchVendor Advisory
- Mailing ListVendor Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 2.0.1 (включая) до 2.3.2 (исключая)Версия от 2.4 (включая) до 2.12.4 (исключая)Версия от 2.13.0 (включая) до 2.17.1 (исключая)
Одно из
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.0:beta7:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.0:beta8:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
Конфигурация 2Версия от 8.0.0.0 (включая) до 8.5.1.0 (включая)Версия от 17.12.0 (включая) до 17.12.11 (включая)Версия от 18.8.0 (включая) до 18.8.13 (включая)Версия от 19.12.0 (включая) до 19.12.12 (включая)Версия от 20.12.0 (включая) до 20.12.7 (включая)Версия от 19.12.0 (включая) до 19.12.18.0 (включая)Версия от 20.12.0.0 (включая) до 20.12.12.0 (включая)
Одно из
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_fiscal_management:14.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_ui_framework:21.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:a:cisco:cloudcenter:4.10.0.16:*:*:*:*:*:*:*
Конфигурация 4
Одно из
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Конфигурация 5
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Конфигурация 6Версия до 12.0.0.4.6 (исключая)Версия от 8.3.0.0 (включая) до 8.5.1.0 (включая)Версия до 12.0.0.4.4 (исключая)Версия от 12.2.0 (включая) до 12.2.24 (включая)Версия от 12.2.0 (включая) до 12.2.24 (включая)Версия от 17.12.0 (включая) до 17.12.11 (включая)Версия от 18.8.0 (включая) до 18.8.13 (включая)Версия от 19.12.0 (включая) до 19.12.12 (включая)Версия от 20.12.0 (включая) до 20.12.7 (включая)Версия от 19.12.0.0 (включая) до 19.12.18.0 (включая)Версия от 20.12.0.0 (включая) до 20.12.12.0 (включая)Версия до 21.12 (включая)
Одно из
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
EPSS
Процентиль: 98%
0.47122
Средний
6.6 Medium
CVSS3
8.5 High
CVSS2
Дефекты
CWE-20
CWE-20
Связанные уязвимости
CVSS3: 6.6
ubuntu
больше 3 лет назад
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
CVSS3: 6.6
redhat
больше 3 лет назад
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
CVSS3: 6.6
debian
больше 3 лет назад
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fi ...
EPSS
Процентиль: 98%
0.47122
Средний
6.6 Medium
CVSS3
8.5 High
CVSS2
Дефекты
CWE-20
CWE-20