6.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
0.022 Low
EPSS
Percentile
89.4%
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Only the org.apache.logging.log4j:log4j-core
package is directly affected by this vulnerability. The org.apache.logging.log4j:log4j-api
should be kept at the same version as the org.apache.logging.log4j:log4j-core
package to ensure compatability if in use.
This issue does not impact default configurations of Log4j2 and requires an attacker to have control over the Log4j2 configuration, which reduces the likelihood of being exploited.
www.openwall.com/lists/oss-security/2021/12/28/1
cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
github.com/apache/logging-log4j2
issues.apache.org/jira/browse/LOG4J2-3293
lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
lists.debian.org/debian-lts-announce/2021/12/msg00036.html
lists.fedoraproject.org/archives/list/[email protected]/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA
lists.fedoraproject.org/archives/list/[email protected]/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC
nvd.nist.gov/vuln/detail/CVE-2021-44832
security.netapp.com/advisory/ntap-20220104-0001
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpujul2022.html
6.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
0.022 Low
EPSS
Percentile
89.4%