Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration
CVE-2021-44832

6.6MEDIUM

Key Information:

Vendor
Apache
Status
Apache Log4j2
Vendor
CVE Published:
28 December 2021

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Affected Version(s)

Apache Log4j2 log4j-core < 2.17.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

log4j_RCE_CVE-2021-44832
Created by cckuailong

log4j
Created by name

References

https://tools.cisco.com/security/center/content/CiscoSecu...
vendor-advisoryx_refsource_CISCO
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9s...
x_refsource_MISC
https://issues.apache.org/jira/browse/LOG4J2-3293
x_refsource_MISC

CVSS V3.1

Score:
6.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.