Apache Log4j — библиотека журналирования (логирования) Java-программ
Релизный цикл, информация об уязвимостях
График релизов
Количество 106
CVE-2021-44832
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fi ...
CVE-2021-44832
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
openSUSE-SU-2021:1631-1
Security update for kafka
CVE-2021-44832
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
openSUSE-SU-2021:1613-1
Security update for logback
openSUSE-SU-2021:1612-1
Security update for log4j12
openSUSE-SU-2021:1605-1
Security update for log4j
openSUSE-SU-2021:4118-1
Security update for log4j
GHSA-p6xc-xr62-6r2g
Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion
CVE-2021-45105
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| CVE-2021-44832 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fi ... | CVSS3: 6.6 | 47% Средний | больше 3 лет назад |
 | CVE-2021-44832 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. | CVSS3: 6.6 | 47% Средний | больше 3 лет назад |
 | openSUSE-SU-2021:1631-1 Security update for kafka | 73% Высокий | больше 3 лет назад | |
 | CVE-2021-44832 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. | CVSS3: 6.6 | 47% Средний | больше 3 лет назад |
| openSUSE-SU-2021:1613-1 Security update for logback | 94% Критический | больше 3 лет назад | |
| openSUSE-SU-2021:1612-1 Security update for log4j12 | 73% Высокий | больше 3 лет назад | |
| openSUSE-SU-2021:1605-1 Security update for log4j | 65% Средний | больше 3 лет назад | |
| openSUSE-SU-2021:4118-1 Security update for log4j | 65% Средний | больше 3 лет назад | |
| GHSA-p6xc-xr62-6r2g Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion | CVSS3: 8.6 | 65% Средний | больше 3 лет назад |
 | CVE-2021-45105 Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. | CVSS3: 5.9 | 65% Средний | больше 3 лет назад |
Уязвимостей на страницу