← back
CVE-2021-44832

Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

CVSS 6.6 MEDIUMEPSS 97.9%CWE-20CWE-74
In short

Apache Log4j2 can execute arbitrary code if an attacker controls the LDAP server used by the application's logging configuration. This happens through the JDBC Appender feature, which improperly validates data source names.

Technical detail

Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable to RCE via JNDI injection in JDBC Appender configurations. When a LDAP data source URI is specified and an attacker controls the target LDAP server, malicious code can be injected and executed. The vulnerability stems from insufficient input validation (CWE-20) and improper neutralization of special elements (CWE-74) in data source names.

Summary generated and translated by AI from the official description.
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache Log4j2

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdfhttps://issues.apache.org/jira/browse/LOG4J2-3293https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143https://lists.debian.org/debian-lts-announce/2021/12/msg00036.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/https://security.netapp.com/advisory/ntap-20220104-0001/https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttp://www.openwall.com/lists/oss-security/2021/12/28/1