{"id":"CVE-2021-44832","details":"Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.","aliases":["GHSA-8489-44mv-ggj8"],"modified":"2026-04-16T04:36:04.845959398Z","published":"2021-12-28T20:15:08.400Z","related":["openSUSE-SU-2021:4208-1","openSUSE-SU-2022:0002-1","openSUSE-SU-2024:11702-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220104-0001/"},{"type":"ADVISORY","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/12/28/1"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"FIX","url":"https://issues.apache.org/jira/browse/LOG4J2-3293"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/logging-log4j2","events":[{"introduced":"6b788facd3479dfe9052b3a5e13f6603dce8c16f"},{"fixed":"dfc35cfb8bdbda7043439ac7027edfa2d400b5c2"},{"introduced":"383a8194acab4a740d22b69c023ca3af6cb9c664"},{"fixed":"e67bf55e72a54e564ebc822964589f252611ed1a"},{"introduced":"9dcb1823a0a0192f2016daf7c1445ddfb3435fbf"},{"fixed":"11dafda0c43eb31cca67f3b0ed0ca9b81780db76"},{"introduced":"0"},{"last_affected":"8d9204a4b4c6016fa6b36513a46502689d6a45c1"}],"database_specific":{"versions":[{"introduced":"2.0.1"},{"fixed":"2.3.2"},{"introduced":"2.4"},{"fixed":"2.12.4"},{"introduced":"2.13.0"},{"fixed":"2.17.1"},{"introduced":"0"},{"last_affected":"2.0-NA"}]}}],"versions":["log4j-2.0","log4j-2.1","log4j-2.1-rc2","log4j-2.1-rc3","log4j-2.10-rc1","log4j-2.10.0","log4j-2.11.0","log4j-2.11.0-rc1","log4j-2.11.1","log4j-2.11.1-rc1","log4j-2.11.2","log4j-2.11.2-rc1","log4j-2.11.2-rc2","log4j-2.11.2-rc3","log4j-2.12.0","log4j-2.12.0-rc1","log4j-2.12.0-rc2","log4j-2.12.1","log4j-2.12.1-rc1","log4j-2.12.2-rc1","log4j-2.12.3-rc1","log4j-2.13.0-rc2","log4j-2.13.1","log4j-2.13.1-rc1","log4j-2.13.1-rc2","log4j-2.13.2","log4j-2.13.2-rc1","log4j-2.13.3","log4j-2.13.3-rc1","log4j-2.14.0-rc1","log4j-2.14.1-rc1","log4j-2.15.0-rc1","log4j-2.15.0-rc2","log4j-2.15.1-rc1","log4j-2.16.0-rc1","log4j-2.17.0-rc1","log4j-2.3","log4j-2.3.1-rc1","log4j-2.4","log4j-2.4.1","log4j-2.5","log4j-2.5-rc1","log4j-2.7","log4j-2.7-rc1","log4j-2.7-rc2","log4j-2.8","log4j-2.8-rc1","log4j-2.8.1","log4j-2.8.1-rc1","log4j-2.9-rc1","log4j-2.9.0","log4j-2.9.1-rc1","rel/2.0","rel/2.1","rel/2.10.0","rel/2.11.0","rel/2.11.1","rel/2.11.2","rel/2.12.0","rel/2.12.1","rel/2.12.2","rel/2.12.3","rel/2.13.0","rel/2.13.1","rel/2.13.2","rel/2.13.3","rel/2.14.0","rel/2.14.1","rel/2.15.0","rel/2.16.0","rel/2.17.0","rel/2.3","rel/2.3.1","rel/2.4","rel/2.4.1","rel/2.5","rel/2.7","rel/2.8","rel/2.8.1","rel/2.9.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.0-beta7"}]},{"events":[{"introduced":"0"},{"last_affected":"2.0-beta8"}]},{"events":[{"introduced":"0"},{"last_affected":"2.0-beta9"}]},{"events":[{"introduced":"0"},{"last_affected":"2.0-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.0-rc2"}]},{"events":[{"introduced":"8.0.0.0"},{"last_affected":"8.5.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4"}]},{"events":[{"introduced":"17.12.0"},{"last_affected":"17.12.11"}]},{"events":[{"introduced":"18.8.0"},{"last_affected":"18.8.13"}]},{"events":[{"introduced":"19.12.0"},{"last_affected":"19.12.12"}]},{"events":[{"introduced":"20.12.0"},{"last_affected":"20.12.7"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12.0"}]},{"events":[{"introduced":"19.12.0"},{"last_affected":"19.12.18.0"}]},{"events":[{"introduced":"20.12.0.0"},{"last_affected":"20.12.12.0"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"19.12"}]},{"events":[{"introduced":"0"},{"last_affected":"20.12"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.2"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.10.0.16"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"fixed":"12.0.0.4.6"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.5.0"}]},{"events":[{"introduced":"8.3.0.0"},{"last_affected":"8.5.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4"}]},{"events":[{"introduced":"0"},{"fixed":"12.0.0.4.4"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.5.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"3.1.0.3"}]},{"events":[{"introduced":"12.2.0"},{"last_affected":"12.2.24"}]},{"events":[{"introduced":"12.2.0"},{"last_affected":"12.2.24"}]},{"events":[{"introduced":"17.12.0"},{"last_affected":"17.12.11"}]},{"events":[{"introduced":"18.8.0"},{"last_affected":"18.8.13"}]},{"events":[{"introduced":"19.12.0"},{"last_affected":"19.12.12"}]},{"events":[{"introduced":"20.12.0"},{"last_affected":"20.12.7"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12.0"}]},{"events":[{"introduced":"19.12.0.0"},{"last_affected":"19.12.18.0"}]},{"events":[{"introduced":"20.12.0.0"},{"last_affected":"20.12.12.0"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"19.12"}]},{"events":[{"introduced":"0"},{"last_affected":"20.12"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12"}]},{"events":[{"introduced":"0"},{"last_affected":"3.6.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"21.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-44832.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}