vulnerability

Apache Log4j Core: CVE-2021-44832: Apache Log4j2 Remote Code Execution

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:M/Au:S/C:C/I:C/A:C)	12/28/2021	12/29/2021	07/18/2022

Severity

CVSS

(AV:N/AC:M/Au:S/C:C/I:C/A:C)

Published

12/28/2021

Added

12/29/2021

Modified

07/18/2022

Description

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Solution(s)

apache-log4j-core-upgrade-2_3_2apache-log4j-core-upgrade-2_12_4apache-log4j-core-upgrade-2_17_1

References

CVE-2021-44832
https://attackerkb.com/topics/CVE-2021-44832

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today