Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Metrics
No CVSS v4.0
Attack Vector Network
Attack Complexity Low
Privileges Required None
Scope Changed
Confidentiality Impact High
Integrity Impact High
Availability Impact High
User Interaction None
No CVSS v3.0
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
AV:N/AC:M/Au:N/C:C/I:C/A:C
This CVE is not in the KEV list.
Key SSVC decision points have not yet been added.
Affected Vendors & Products
Vendors | Products |
---|---|
Apache |
|
Apple |
|
Bentley |
|
Cisco |
|
Debian |
|
Fedoraproject |
|
Intel |
|
Netapp |
|
Percussion |
|
Redhat |
|
Siemens |
|
Snowsoftware |
|
Sonicwall |
|
Configuration 1 [-]
|
Configuration 2 [-]
AND |
|
Configuration 3 [-]
|
Configuration 4 [-]
|
Configuration 5 [-]
|
Configuration 6 [-]
|
Configuration 7 [-]
|
Configuration 8 [-]
|
Configuration 9 [-]
|
Configuration 10 [-]
AND |
|
Configuration 11 [-]
|
Configuration 12 [-]
|
Configuration 13 [-]
|
Configuration 14 [-]
|
Configuration 15 [-]
|
Package | CPE | Advisory | Released Date |
---|---|---|---|
EAP 7.4 log4j async | |||
log4j-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4 | RHSA-2021:5140 | 2021-12-15T00:00:00Z |
OpenShift Logging 5.0 | |||
openshift-logging/elasticsearch6-rhel8:v5.0.10-1 | cpe:/a:redhat:logging:5.0::el8 | RHSA-2021:5137 | 2021-12-14T00:00:00Z |
OpenShift Logging 5.1 | |||
openshift-logging/elasticsearch6-rhel8:v6.8.1-67 | cpe:/a:redhat:logging:5.1::el8 | RHSA-2021:5128 | 2021-12-14T00:00:00Z |
OpenShift Logging 5.2 | |||
openshift-logging/elasticsearch6-rhel8:v6.8.1-66 | cpe:/a:redhat:logging:5.2::el8 | RHSA-2021:5127 | 2021-12-14T00:00:00Z |
OpenShift Logging 5.3 | |||
openshift-logging/elasticsearch6-rhel8:v6.8.1-65 | cpe:/a:redhat:logging:5.3::el8 | RHSA-2021:5129 | 2021-12-14T00:00:00Z |
Red Hat AMQ Streams 1.6.5 | |||
log4j-core | cpe:/a:redhat:amq_streams:1 | RHSA-2021:5133 | 2021-12-14T00:00:00Z |
Red Hat AMQ Streams 1.8.4 | |||
log4j-core | cpe:/a:redhat:amq_streams:1 | RHSA-2021:5138 | 2021-12-14T00:00:00Z |
Red Hat Data Grid 8.2.2 | |||
log4j-core | cpe:/a:redhat:jboss_data_grid:8.2 | RHSA-2021:5132 | 2021-12-14T00:00:00Z |
Red Hat Fuse 7.10 | |||
log4j-core | cpe:/a:redhat:jboss_fuse:7 | RHSA-2021:5134 | 2021-12-14T00:00:00Z |
Red Hat Fuse 7.8.2, 7.9.1, 7.10.1 | |||
log4j-core | cpe:/a:redhat:jboss_fuse:7 | RHSA-2022:0203 | 2022-01-20T00:00:00Z |
Red Hat Integration | |||
log4j-core | cpe:/a:redhat:integration:1 | RHSA-2021:5130 | 2021-12-14T00:00:00Z |
Red Hat Integration Camel Quarkus | |||
log4j-core | cpe:/a:redhat:camel_quarkus:2.2 | RHSA-2021:5126 | 2021-12-14T00:00:00Z |
Red Hat OpenShift Container Platform 3.11 | |||
openshift3/ose-logging-elasticsearch5:v3.11.570-2.gd119820 | cpe:/a:redhat:openshift:3.11::el7 | RHSA-2021:5094 | 2021-12-14T00:00:00Z |
Red Hat OpenShift Container Platform 4.6 | |||
openshift4/ose-logging-elasticsearch6:v4.6.0-202112132021.p0.g2a13a81.assembly.stream | cpe:/a:redhat:openshift:4.6::el8 | RHSA-2021:5106 | 2021-12-16T00:00:00Z |
openshift4/ose-metering-hive:v4.6.0-202112140546.p0.g8b9da97.assembly.stream | cpe:/a:redhat:openshift:4.6::el8 | RHSA-2021:5106 | 2021-12-16T00:00:00Z |
openshift4/ose-metering-presto:v4.6.0-202112150545.p0.g190688a.assembly.art3595 | cpe:/a:redhat:openshift:4.6::el8 | RHSA-2021:5141 | 2021-12-16T00:00:00Z |
Red Hat OpenShift Container Platform 4.7 | |||
openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream | cpe:/a:redhat:openshift:4.7::el8 | RHSA-2021:5107 | 2021-12-16T00:00:00Z |
openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40 | cpe:/a:redhat:openshift:4.7::el8 | RHSA-2021:5107 | 2021-12-16T00:00:00Z |
Red Hat OpenShift Container Platform 4.8 | |||
openshift4/ose-metering-hive:v4.8.0-202112132154.p0.g57dd03a.assembly.stream | cpe:/a:redhat:openshift:4.8::el8 | RHSA-2021:5108 | 2021-12-14T00:00:00Z |
openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599 | cpe:/a:redhat:openshift:4.8::el8 | RHSA-2021:5148 | 2021-12-15T00:00:00Z |
RHPAM 7.11.1 | |||
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.11 | RHSA-2022:0082 | 2022-01-11T00:00:00Z | |
RHPAM 7.12.0 | |||
log4j-core | cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12 | RHSA-2022:0296 | 2022-01-26T00:00:00Z |
Vert.x 4.1.5 SP1 | |||
log4j-core | cpe:/a:redhat:openshift_application_runtimes:1.0 | RHSA-2021:5093 | 2021-12-14T00:00:00Z |
References
History
Wed, 14 Aug 2024 00:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2021-12-10T00:00:00
Updated: 2024-08-04T04:17:24.696Z
Reserved: 2021-11-26T00:00:00
Link: CVE-2021-44228
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-12-10T10:15:09.143
Modified: 2024-11-21T06:30:38.047
Link: CVE-2021-44228
Redhat