https://nvd.nist.gov/vuln/detail/CVE-2021-44832

You are viewing this page in an unauthorized frame window.

This is a potential security issue, you are being redirected to
https://nvd.nist.gov

You have JavaScript disabled. This site requires JavaScript to be
enabled for complete site functionality.

U.S. flag   An official website of the United States government 
Here's how you know
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the
United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the
.gov website. Share sensitive information only on official, secure
websites.

National Institute of Standards and Technology
NVD MENU

  * General Expand or Collapse

    NVD Dashboard

    News

    Email List

    FAQ

    Visualizations

  * Vulnerabilities Expand or Collapse

    Search & Statistics

    Full Listing

    Categories

    Data Feeds

    Vendor Comments

    CVMAP

  * Vulnerability Metrics Expand or Collapse

    CVSS V3 Calculator

    CVSS V2 Calculator

  * Products Expand or Collapse

    CPE Dictionary

    CPE Search

    CPE Statistics

    SWID

  * Developers Expand or Collapse

    Start Here

    Request an API Key

    Vulnerabilities

    Products

    Terms of Use

  * Contact NVD
  * Other Sites Expand or Collapse

    Checklist (NCP) Repository

    Configurations (CCE)

    800-53 Controls

    SCAP Validated Tools

    SCAP

    USGCB

  * Search Expand or Collapse

    Vulnerability Search

    CPE Search

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

NVD

NVD Logo

 1. Vulnerabilities

CVE-2021-44832 Detail

Awaiting Analysis
---------------------------------------------------------------------

This vulnerability is currently awaiting analysis.

Description

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security
fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code
execution (RCE) attack where an attacker with permission to modify
the logging configuration file can construct a malicious
configuration using a JDBC Appender with a data source referencing a
JNDI URI which can execute remote code. This issue is fixed by
limiting JNDI data source names to the java protocol in Log4j2
versions 2.17.1, 2.12.4, and 2.3.2.


Severity

 
CVSS Version 3.x CVSS Version 2.0

CVSS 3.x Severity and Metrics:

NIST CVSS score
NIST: NVD
Base Score:  N/A
NVD score not yet provided. 


NVD Analysts use publicly available information to associate vector
strings and CVSS scores. We also display any CVSS information
provided within the CVE List from the CNA.

Note: NVD Analysts have not published a CVSS score for this CVE at
this time. NVD Analysts use publicly available information at the
time of analysis to associate CVSS vector strings.

CVSS 2.0 Severity and Metrics:

National Institute of Standards and Technology
NIST: NVD
Base Score: N/A
NVD score not yet provided. 


NVD Analysts use publicly available information to associate vector
strings and CVSS scores. We also display any CVSS information
provided within the CVE List from the CNA.

Note: NVD Analysts have not published a CVSS score for this CVE at
this time. NVD Analysts use publicly available information at the
time of analysis to associate CVSS vector strings.


References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have
provided these links to other web sites because they may have
information that would be of interest to you. No inferences should be
drawn on account of other sites being referenced, or not, from this
page. There may be other web sites that are more appropriate for your
purpose. NIST does not necessarily endorse the views expressed, or
concur with the facts presented on these sites. Further, NIST does
not endorse any commercial products that may be mentioned on these
sites. Please address comments about this page to nvd@nist.gov.

                         Hyperlink                           Resource
http://www.openwall.com/lists/oss-security/2021/12/28/1
https://issues.apache.org/jira/browse/LOG4J2-3293
https://lists.apache.org/thread/
s1o5vlo78ypqxnzn6p8zf6t9shtq5143

Weakness Enumeration

CWE-ID                CWE Name                        Source
                                              Contributor acceptance
CWE-20 Improper Input Validation              level Apache Software
                                              Foundation  
       Improper Neutralization of Special     Contributor acceptance
CWE-74 Elements in Output Used by a           level Apache Software
       Downstream Component ('Injection')     Foundation  

Change History

1 change records found show changes

CVE Modified by Apache Software Foundation 12/28/2021 5:15:07 PM

Action   Type     Old                                   New Value
                 Value
                       http://www.openwall.com/lists/oss-security/2021/12/28/1 [No Types Assigned]
Added  Reference



Quick Info

CVE Dictionary Entry:
CVE-2021-44832
NVD Published Date:
12/28/2021
NVD Last Modified:
12/28/2021
Source:
Apache Software Foundation

  * twitter (link is external)
  * facebook (link is external)
  * linkedin (link is external)
  * youtube (link is external)
  * rss
  * govdelivery (link is external)

National Institute of Standards and Technology logo
National Institute of Standards and Technology logo
HEADQUARTERS
100 Bureau Drive
Gaithersburg, MD 20899
(301) 975-2000

Webmaster | Contact Us | Our Other Offices
Incident Response Assistance and Non-NVD Related
Technical Cyber Security Questions:
US-CERT Security Operations Center
Email: soc@us-cert.gov
Phone: 1-888-282-0870
Sponsored by
                      CISA CISA

Site Privacy | Accessibility | Privacy Program | Copyrights |
Vulnerability Disclosure | No Fear Act Policy | FOIA | Environmental
Policy | Scientific Integrity | Information Quality Standards |
Commerce.gov | Science.gov | USA.gov