CVE-2021-44228

Name
CVE-2021-44228
Description
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://logging.apache.org/log4j/2.x/security.html
MLIST http://www.openwall.com/lists/oss-security/2021/12/10/1
MLIST http://www.openwall.com/lists/oss-security/2021/12/10/2
MISC http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
CONFIRM https://security.netapp.com/advisory/ntap-20211210-0007/
CISCO https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
MLIST http://www.openwall.com/lists/oss-security/2021/12/10/3
CONFIRM https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
DEBIAN https://www.debian.org/security/2021/dsa-5020
CONFIRM https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/
MLIST http://www.openwall.com/lists/oss-security/2021/12/13/1
MLIST http://www.openwall.com/lists/oss-security/2021/12/13/2
MISC https://twitter.com/kurtseifried/status/1469345530182455296
MLIST https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html
CONFIRM https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
MISC http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
MISC http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html
MISC http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html
MLIST http://www.openwall.com/lists/oss-security/2021/12/14/4
CONFIRM https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
CERT-VN https://www.kb.cert.org/vuls/id/930724
MLIST http://www.openwall.com/lists/oss-security/2021/12/15/1
MISC http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html
MISC http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html
MISC http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html
MISC http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html
MISC http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html
MLIST http://www.openwall.com/lists/oss-security/2021/12/15/3
CONFIRM https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
MS https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
Third Party Advisory http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html
Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
Third Party Advisory http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/
Product https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md
Third Party Advisory http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html
Third Party Advisory http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html
Patch https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory https://github.com/cisagov/log4j-affected-db
Third Party Advisory https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001
Third Party Advisory https://support.apple.com/kb/HT213189
Mailing List http://seclists.org/fulldisclosure/2022/Mar/23
MISC https://www.oracle.com/security-alerts/cpuapr2022.html
MISC https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228
MISC https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html
Third Party Advisory http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
Exploit http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html
Third Party Advisory http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html
Exploit http://seclists.org/fulldisclosure/2022/Dec/2
Mailing List http://seclists.org/fulldisclosure/2022/Jul/11
Release Notes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/
Release Notes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/
134c704f-9b21-4f2e-91b3-4a467353bcc0 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:* log4j == None == 2.0
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* log4j >= 2.0.1 < 2.15.0
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* log4j >= 2.0.1 < 2.12.2
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* log4j >= 2.13.0 < 2.15.0
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* log4j >= 2.0.1 < 2.3.1
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* log4j >= 2.4.0 < 2.12.2
cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:* 6bk1602-0aa12-0tp0_firmware >= None < 2.7.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status