Vulnerability-Lookup

SESB-2021-347-01

Vulnerability from csaf_se - Published: 2021-12-13 09:22 - Updated: 2022-08-09 09:22

Summary

Apache Log4j Vulnerabilities (Log4Shell)

Notes

General Security Recommendations

We strongly recommend the following industry cybersecurity best practices. https://www.se.com/us/en/download/document/7EN52-0390/ * Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. * Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. * Place all controllers in locked cabinets and never leave them in the “Program” mode. * Never connect programming software to any network other than the network intended for that device. * Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. * Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. * Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

For More Information

This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process. For further information related to cybersecurity in Schneider Electric’s products, visit the company’s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp

LEGAL DISCLAIMER

THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS “NOTIFICATION”) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION

About Schneider Electric

At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment. We provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries. We are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values. www.se.com

Overview

Schneider Electric is aware of the vulnerabilities impacting Apache Log4j, including CVE-2021-44228, also known as Log4Shell. Our cybersecurity team is actively investigating the impact of the vulnerability on Schneider Electric offers and will continuously update this notification as information becomes available. In the meantime, customers should immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from exploitation of this vulnerability. Where appropriate, this includes locating their systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; preventing mission-critical systems and devices from being accessed from outside networks; and following the recommended mitigations and general security recommendations below. Please subscribe to the Schneider Electric security notification service to be informed of critical updates to this notification, including information on affected products and remediation plans: https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp For additional information and support, please contact your Schneider Electric sales or service representative or Schneider Electric’s Customer Care Center. August 2022 Update: Remediation update for Eurotherm Data Reviewer.

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "We strongly recommend the following industry cybersecurity best practices.\n\nhttps://www.se.com/us/en/download/document/7EN52-0390/\n* Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.\n* Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.\n* Place all controllers in locked cabinets and never leave them in the \u201cProgram\u201d mode.\n* Never connect programming software to any network other than the network intended for that device.\n* Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.\n* Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.\n* Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.\n* When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.\nFor more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. \n",
        "title": "General Security Recommendations"
      },
      {
        "category": "general",
        "text": "This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process.\nFor further information related to cybersecurity in Schneider Electric\u2019s products, visit the company\u2019s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp",
        "title": "For More Information"
      },
      {
        "category": "legal_disclaimer",
        "text": "THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS \u201cNOTIFICATION\u201d) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN \u201cAS-IS\u201d BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND.  SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION",
        "title": "LEGAL DISCLAIMER"
      },
      {
        "category": "general",
        "text": "At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment.\n\nWe provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.\n\nWe are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values.\n\nwww.se.com ",
        "title": "About Schneider Electric"
      },
      {
        "category": "summary",
        "text": "Schneider Electric is aware of the vulnerabilities impacting Apache Log4j, including CVE-2021-44228, also known as Log4Shell. Our cybersecurity team is actively investigating the impact of the vulnerability on Schneider Electric offers and will continuously update this notification as information becomes available.\r\nIn the meantime, customers should immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from exploitation of this vulnerability. Where appropriate, this includes locating their systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; preventing mission-critical systems and devices from being accessed from outside networks; and following the recommended mitigations and general security recommendations below.\r\nPlease subscribe to the Schneider Electric security notification service to be informed of critical updates to this notification, including information on affected products and remediation plans:\r\nhttps://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp\r\nFor additional information and support, please contact your Schneider Electric sales or service representative or Schneider Electric\u2019s Customer Care Center.\r\nAugust 2022 Update: Remediation update for Eurotherm Data Reviewer.",
        "title": "Overview"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "cybersecurity@se.com",
      "name": "Schneider Electric CPCERT",
      "namespace": "https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp"
    },
    "references": [
      {
        "category": "self",
        "summary": "Apache Log4j Vulnerabilities (Log4Shell) - SESB-2021-347-01 PDF Version",
        "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2021-347-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SESB-2021-347-01_Apache_Log4j_Log4Shell_Vulnerabilities_Security_Notification.pdf"
      },
      {
        "category": "self",
        "summary": "Apache Log4j Vulnerabilities (Log4Shell) - SESB-2021-347-01 CSAF Version",
        "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2021-347-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=sesb-2021-347-01.json"
      },
      {
        "category": "external",
        "summary": "Recommended Cybersecurity Best Practices",
        "url": "https://www.se.com/us/en/download/document/7EN52-0390/"
      }
    ],
    "title": "Apache Log4j Vulnerabilities (Log4Shell)",
    "tracking": {
      "current_release_date": "2022-08-09T09:22:58.000Z",
      "generator": {
        "date": "2022-10-06T11:41:22.636Z",
        "engine": {
          "name": "Schneider Electric CSAF Generator",
          "version": "1.2"
        }
      },
      "id": "SESB-2021-347-01",
      "initial_release_date": "2021-12-13T09:22:58.000Z",
      "revision_history": [
        {
          "date": "2021-12-13T09:22:58.000Z",
          "number": "1.0.0",
          "summary": "Original Release"
        },
        {
          "date": "2021-12-15T09:22:58.000Z",
          "number": "2.0.0",
          "summary": "EcoStruxure\u2122 IT Gateway and EcoStruxure\u2122 IT Expert added to available remediations section"
        },
        {
          "date": "2021-12-16T09:22:58.000Z",
          "number": "3.0.0",
          "summary": "APC PowerChute Business Edition and APC PowerChute Network Shutdown added to affected products section"
        },
        {
          "date": "2021-12-17T09:22:58.000Z",
          "number": "4.0.0",
          "summary": "Overview updated to include CVE-2021-45046, Facility Expert Small Business and Wiser by SE platform added to list of available remediations, EASYFIT, Ecoreal XL, Eurotherm Data Reviewer, MSE, NetBotz750/75, NEW630, SDK BOM, SDK-Docgen, SDK-TNC, SDK-UMS, SDK3D-2DRenderer, SDK3D-360Widget, SNC-API, SNC-CMM, SNC-SEMTECH, SPIMV3, SWBEditor, SWBEngine added to list of affected products."
        },
        {
          "date": "2021-12-21T09:22:58.000Z",
          "number": "5.0.0",
          "summary": "CVE-2021-4104 added to the scope of this security notification."
        },
        {
          "date": "2021-12-23T09:22:58.000Z",
          "number": "6.0.0",
          "summary": "-Updated information for Facility Expert SmallBusiness and Wiser by SE Platform in availableremediations section (page 3)\r\n-Workplace Advisor added to list of affectedoffers (page 7)"
        },
        {
          "date": "2021-12-23T09:22:58.000Z",
          "number": "7.0.0",
          "summary": "-Updated information for Facility Expert SmallBusiness and Wiser by SE Platform and addedHarmony Configurator, MSE, NetBotz750/755,SDK-Docgen, SDK-UMS, SNC-API, SNC-CMM,SNC-SEMTECH to list available remediations.(page 3-4)\r\n-Upon further investigation the following productshave been determined to not be affected by theLog4j vulnerabilities and have been removedfrom the list of affected offers: EASYFIT,Ecoreal XL, NEW630, SDK BOM, SDK-TNC ,SDK3D-2DRenderer, SDK3D-360Widget,SPIMV3, SWBEditor, SWBEngine"
        },
        {
          "date": "2021-12-24T09:22:58.000Z",
          "number": "8.0.0",
          "summary": "Added TwinBus IP (formerly Digides 2.0) and Select and Config DATA to list available remediations. (page 3 and 4)"
        },
        {
          "date": "2021-12-29T09:22:58.000Z",
          "number": "8.1.0",
          "summary": "Added CVE-2021-44832 to the scope of this security notification (page 1)"
        },
        {
          "date": "2022-01-13T09:22:58.000Z",
          "number": "9.0.0",
          "summary": "Remediations updated for EcoStruxure\u2122 IT Gateway \u0026 EcoStruxure\u2122 IT Expert to address CVE-2021-45105."
        },
        {
          "date": "2022-02-01T09:22:58.000Z",
          "number": "10.0.0",
          "summary": "Netbotz remediation updated due to stability issue on version 5.3.1."
        },
        {
          "date": "2022-03-08T09:22:58.000Z",
          "number": "11.0.0",
          "summary": "Remediation available for APC PowerChute Business Edition, APC PowerChute Network Edition, and EMA Server."
        },
        {
          "date": "2022-03-30T09:22:58.000Z",
          "number": "12.0.0",
          "summary": "Remediation update for Workplace Advisor."
        },
        {
          "date": "2022-08-09T09:22:58.000Z",
          "number": "13.0.0",
          "summary": "Remediation update for Eurotherm Data Reviewer."
        },
        {
          "date": "2022-11-10T00:00:00.000Z",
          "number": "14.0.0",
          "summary": "A remediation is now available for Netbotz 750/755"
        }
      ],
      "status": "final",
      "version": "14.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "9.5",
                "product": {
                  "name": "Schneider Electric APC PowerChute Business Edition version 9.5",
                  "product_id": "CSAFPID-0001"
                }
              },
              {
                "category": "product_version",
                "name": "10.0",
                "product": {
                  "name": "Schneider Electric APC PowerChute Business Edition version 10.0",
                  "product_id": "CSAFPID-0002"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.1",
                "product": {
                  "name": "Schneider Electric APC PowerChute Business Edition version 10.0.1",
                  "product_id": "CSAFPID-0003"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.2",
                "product": {
                  "name": "Schneider Electric APC PowerChute Business Edition version 10.0.2",
                  "product_id": "CSAFPID-0004"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.3",
                "product": {
                  "name": "Schneider Electric APC PowerChute Business Edition version 10.0.3",
                  "product_id": "CSAFPID-0005"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.4",
                "product": {
                  "name": "Schneider Electric APC PowerChute Business Edition version 10.0.4",
                  "product_id": "CSAFPID-0006"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.5",
                "product": {
                  "name": "Schneider Electric APC PowerChute Business Edition version 10.0.5",
                  "product_id": "CSAFPID-0007"
                }
              }
            ],
            "category": "product_name",
            "name": "APC PowerChute Business Edition"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "4.4.1",
                "product": {
                  "name": "Schneider Electric APC PowerChute Network Shutdown (PCNS) version 4.4.1",
                  "product_id": "CSAFPID-0008"
                }
              },
              {
                "category": "product_version",
                "name": "4.4",
                "product": {
                  "name": "Schneider Electric APC PowerChute Network Shutdown (PCNS) version 4.4",
                  "product_id": "CSAFPID-0009"
                }
              },
              {
                "category": "product_version",
                "name": "4.3",
                "product": {
                  "name": "Schneider Electric APC PowerChute Network Shutdown (PCNS) version 4.3",
                  "product_id": "CSAFPID-0010"
                }
              },
              {
                "category": "product_version",
                "name": "4.2",
                "product": {
                  "name": "Schneider Electric APC PowerChute Network Shutdown (PCNS) version 4.2",
                  "product_id": "CSAFPID-0011"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003e=4.5",
                "product": {
                  "name": "Schneider Electric APC PowerChute Network Shutdown (PCNS) version 4.5 and earlier",
                  "product_id": "CSAFPID-0012"
                }
              }
            ],
            "category": "product_name",
            "name": "APC PowerChute Network Shutdown (PCNS)"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=1.5.0|\u003e=1.13.1.5",
                "product": {
                  "name": "Schneider Electric EcoStruxure\u2122 IT Gateway \u003c=1.5.0|\u003e=1.13.1.5",
                  "product_id": "CSAFPID-0013"
                }
              },
              {
                "category": "product_version",
                "name": "1.13.2.3",
                "product": {
                  "name": "Schneider Electric EcoStruxure\u2122 IT Gateway version 1.13.2.3",
                  "product_id": "CSAFPID-0014"
                }
              }
            ],
            "category": "product_name",
            "name": "EcoStruxure\u2122 IT Gateway"
          },
          {
            "category": "product_name",
            "name": "EcoStruxure\u2122 IT Expert Cloud",
            "product": {
              "name": "Schneider Electric EcoStruxure\u2122 IT Expert Cloud",
              "product_id": "CSAFPID-0015"
            }
          },
          {
            "category": "product_name",
            "name": "EMA Server Cloud",
            "product": {
              "name": "Schneider Electric EMA Server Cloud",
              "product_id": "CSAFPID-0016"
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=3.0.2",
                "product": {
                  "name": "Schneider Electric Eurotherm Data Reviewer software version 3.0.2 and prior",
                  "product_id": "CSAFPID-0017"
                }
              },
              {
                "category": "product_version",
                "name": "4.0.0",
                "product": {
                  "name": "Schneider Electric Eurotherm Data Reviewer software version 4.0.0",
                  "product_id": "CSAFPID-0018"
                }
              }
            ],
            "category": "product_name",
            "name": "Eurotherm Data Reviewer software"
          },
          {
            "category": "product_name",
            "name": "Facility Expert Small Business Cloud",
            "product": {
              "name": "Schneider Electric Facility Expert Small Business Cloud",
              "product_id": "CSAFPID-0019"
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=33",
                "product": {
                  "name": "Schneider Electric Harmony Configurator version 33 and prior",
                  "product_id": "CSAFPID-0020"
                }
              }
            ],
            "category": "product_name",
            "name": "Harmony Configurator"
          },
          {
            "category": "product_name",
            "name": "MSE Cloud",
            "product": {
              "name": "Schneider Electric MSE Cloud",
              "product_id": "CSAFPID-0021"
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=5.0|\u003e=5.3.0",
                "product": {
                  "name": "Schneider Electric NetBotz 750/755 \u003c=5.0|\u003e=5.3.0",
                  "product_id": "CSAFPID-0022"
                }
              }
            ],
            "category": "product_name",
            "name": "NetBotz 750/755"
          },
          {
            "category": "product_name",
            "name": "SDK-Docgen Cloud",
            "product": {
              "name": "Schneider Electric SDK-Docgen Cloud",
              "product_id": "CSAFPID-0023"
            }
          },
          {
            "category": "product_name",
            "name": "SDK-UMS Cloud",
            "product": {
              "name": "Schneider Electric SDK-UMS Cloud",
              "product_id": "CSAFPID-0024"
            }
          },
          {
            "category": "product_name",
            "name": "Select and Config DATA Cloud",
            "product": {
              "name": "Schneider Electric Select and Config DATA Cloud",
              "product_id": "CSAFPID-0025"
            }
          },
          {
            "category": "product_name",
            "name": "SNC-API Cloud",
            "product": {
              "name": "Schneider Electric SNC-API Cloud",
              "product_id": "CSAFPID-0026"
            }
          },
          {
            "category": "product_name",
            "name": "SNC-CMM Cloud",
            "product": {
              "name": "Schneider Electric SNC-CMM Cloud",
              "product_id": "CSAFPID-0027"
            }
          },
          {
            "category": "product_name",
            "name": "SNC-SEMTECH Cloud",
            "product": {
              "name": "Schneider Electric SNC-SEMTECH Cloud",
              "product_id": "CSAFPID-0028"
            }
          },
          {
            "category": "product_name",
            "name": "TwinBus IP (formerly Digides 2.0) Cloud",
            "product": {
              "name": "Schneider Electric TwinBus IP (formerly Digides 2.0) Cloud",
              "product_id": "CSAFPID-0029"
            }
          },
          {
            "category": "product_name",
            "name": "Workplace Advisor",
            "product": {
              "name": "Schneider Electric Workplace Advisor",
              "product_id": "CSAFPID-0030"
            }
          },
          {
            "category": "product_name",
            "name": "Wiser\u2122 by SE Platform Cloud",
            "product": {
              "name": "Schneider Electric Wiser\u2122 by SE Platform Cloud",
              "product_id": "CSAFPID-0031"
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=3.0.2",
                "product": {
                  "name": "Schneider Electric Eurotherm Data Reviewer version 3.0.2 and prior",
                  "product_id": "CSAFPID-0032"
                }
              }
            ],
            "category": "product_name",
            "name": "Eurotherm Data Reviewer"
          }
        ],
        "category": "vendor",
        "name": "Schneider Electric"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-44228",
      "notes": [
        {
          "category": "details",
          "text": "Log4j is an open-source Java logging library developed by the Apache Foundation which is widely used by both enterprise applications and cloud services. The recent Apache Log4j vulnerabilities are listed below and have ratings ranging from High to Critical. CVE-2021-44228 (Log4Shell), received a rating of Critical and can allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers and other JNDI related endpoints when message lookup substitution is enabled. Exploitation could allow for unauthenticated remote code execution (RCE) and possibly access to servers. Additional CVEs within the scope of this security notification:\nCVE-2021-44228\nCVE-2021-45046\nCVE-2021-45105\nCVE-2021-4104\nCVE-2021-44832\nFor more information, please visit the Apache logging services log4j security page https://logging.apache.org/log4j/2.x/security.html."
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0007",
          "CSAFPID-0012",
          "CSAFPID-0014",
          "CSAFPID-0015",
          "CSAFPID-0016",
          "CSAFPID-0018",
          "CSAFPID-0019",
          "CSAFPID-0021",
          "CSAFPID-0022",
          "CSAFPID-0023",
          "CSAFPID-0024",
          "CSAFPID-0025",
          "CSAFPID-0026",
          "CSAFPID-0027",
          "CSAFPID-0028",
          "CSAFPID-0029",
          "CSAFPID-0030",
          "CSAFPID-0031"
        ],
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0008",
          "CSAFPID-0009",
          "CSAFPID-0010",
          "CSAFPID-0011",
          "CSAFPID-0013",
          "CSAFPID-0017",
          "CSAFPID-0020"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SDK-UMS to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0024"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update Select and Config DATA to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0025"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SNC-API to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0026"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SNC-CMM to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0027"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SNC-SEMTECH to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0028"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update TwinBus IP to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0029"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update Workplace Advisor to Log4j 2.17.\r\nThese fixes were deployed implemented on all public facing portals on January 14, 2022 and require no action from customers.",
          "product_ids": [
            "CSAFPID-0030"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update the Wiser by SE Platform to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0031"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "mitigation",
          "details": "Schneider Electric is establishing a remediation plan for all future versions of Eurotherm Data Reviewer that will include a fix for this vulnerability. We will update this document when the remediation is available. Until then, customers should immediately apply the mitigations found in the document below to reduce the risk of exploit:\r\nhttps://download.schneider-electric.com/files?p_Doc_Ref=EDR-Log4Shell-Mitigations\r\nThe above settings change will not alter the behavior of the Eurotherm Data Reviewer software\r\nNote: Eurotherm Data Reviewer uses a defense-in-depth strategy for security. It is currently not possible to exploit this vulnerability without logging into the server hosting Reviewer with administrator privileges",
          "product_ids": [
            "CSAFPID-0032"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=EDR-Log4Shell-Mitigations"
        },
        {
          "category": "mitigation",
          "details": "Customers should use an IoT/OT-aware network detection and response (NDR) solution and SIEM/SOAR solution to auto-discover and continuously monitor devices for anomalous or unauthorized behaviors, such as communication with unfamiliar local or remote hosts.",
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "PowerChute Business Edition V10.0.5 has been updated with log4j V 2.17.0 which includes a fix for these vulnerabilities and can be downloaded here: https://www.apc.com/shop/us/en/products/PowerChute-Business-Edition-v10-0-5/P-SFPCBE1005\n10.0.5 Release Notes:\nhttps://download.schneider-electric.com/files?p_File_Name=990-3029P-EN.pdf\u0026p_Doc_Ref=SPD_CCON-AT6CWT_EN\u0026p_enDocType=User+guide\nFor more information, please see this FAQ: https://www.apc.com/my/en/faqs/FAQ000229596/",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006"
          ],
          "url": "https://www.apc.com/shop/us/en/products/PowerChute-Business-Edition-v10-0-5/P-SFPCBE1005"
        },
        {
          "category": "vendor_fix",
          "details": "For PowerChute Network Shutdown customers who would like to use Dell VxRail enabled NMC cards, please update to version PCNS 4.5 or later, which includes a fix for these vulnerabilities. Otherwise, customers on PowerChute Network Shutdown versions 4.3, 4.4, and 4.4.1 should follow these remediations steps:\n\u2022Download the corresponding V4.4.1.1, 4.4.0.1,4.3.0.1 scripts and follow the instructions available athttps://www.apc.com/my/en/faqs/FAQ000229596/.\n\u2022These scripts remove the vulnerable log4j files andreplace them with log4j V2.17.1 files, which include afix for these vulnerabilities.",
          "product_ids": [
            "CSAFPID-0008",
            "CSAFPID-0009",
            "CSAFPID-0010",
            "CSAFPID-0011"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Version 1.13.2.3 of EcoStruxure\u2122 IT Gateway has been\nupdated with log4j V2.17.0, which includes a fix for these\nvulnerabilities, and is available via automatic update if\nenabled.\nUpdate manually by logging into EcoStruxureit.com, or by downloading the update directly from here: https://EcoStruxureit.com/download-and-set-up-EcoStruxurit-gateway/",
          "product_ids": [
            "CSAFPID-0013"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "The cloud-based EcoStruxure\u2122 IT Expert has been updated has been updated with log4j V2.17, which includes a fix for these vulnerabilities.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0015"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update EMA Server cloud offer to Log4j2.17.1.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0016"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Version 4.0.0of Eurotherm Data Reviewer includes a fix for this vulnerability and is available for download here:\nhttps://www.eurotherm.com/?wpdmdl=78469",
          "product_ids": [
            "CSAFPID-0017"
          ],
          "url": "https://www.eurotherm.com/?wpdmdl=78469"
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update the Facility Expert Small Business cloud application to Log4j 2.17.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0019"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Harmony Configurator has been updated with log4j V2.17, which includes a fix for these vulnerabilities.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0020"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update MSE to Log4j 2.17.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0021"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For software V5.0.1 - 5.3.x of Netbotz 750/755 there is a patch that includes a fix for this vulnerability.\nThe patch is available thru your local tech support who can be reached here: https://www.se.com/ww/en/work/support/country-selector/contact-us.jsp",
          "product_ids": [
            "CSAFPID-0022"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SDK-Docgen to Log4j 2.17.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0023"
          ]
        }
      ],
      "title": "CVE-2021-44228"
    },
    {
      "cve": "CVE-2021-45046",
      "notes": [
        {
          "category": "details",
          "text": "Log4j is an open-source Java logging library developed by the Apache Foundation which is widely used by both enterprise applications and cloud services. The recent Apache Log4j vulnerabilities are listed below and have ratings ranging from High to Critical. CVE-2021-44228 (Log4Shell), received a rating of Critical and can allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers and other JNDI related endpoints when message lookup substitution is enabled. Exploitation could allow for unauthenticated remote code execution (RCE) and possibly access to servers. Additional CVEs within the scope of this security notification:\nCVE-2021-44228\nCVE-2021-45046\nCVE-2021-45105\nCVE-2021-4104\nCVE-2021-44832\nFor more information, please visit the Apache logging services log4j security page https://logging.apache.org/log4j/2.x/security.html."
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0015",
          "CSAFPID-0019",
          "CSAFPID-0021",
          "CSAFPID-0022",
          "CSAFPID-0023",
          "CSAFPID-0024",
          "CSAFPID-0025",
          "CSAFPID-0026",
          "CSAFPID-0027",
          "CSAFPID-0028",
          "CSAFPID-0029",
          "CSAFPID-0031"
        ],
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0008",
          "CSAFPID-0009",
          "CSAFPID-0010",
          "CSAFPID-0011",
          "CSAFPID-0013",
          "CSAFPID-0020"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SDK-UMS to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0024"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update Select and Config DATA to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0025"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SNC-API to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0026"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SNC-CMM to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0027"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SNC-SEMTECH to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0028"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update TwinBus IP to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0029"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update the Wiser by SE Platform to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0031"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "mitigation",
          "details": "Schneider Electric is establishing a remediation plan for all future versions of Eurotherm Data Reviewer that will include a fix for this vulnerability. We will update this document when the remediation is available. Until then, customers should immediately apply the mitigations found in the document below to reduce the risk of exploit:\r\nhttps://download.schneider-electric.com/files?p_Doc_Ref=EDR-Log4Shell-Mitigations\r\nThe above settings change will not alter the behavior of the Eurotherm Data Reviewer software\r\nNote: Eurotherm Data Reviewer uses a defense-in-depth strategy for security. It is currently not possible to exploit this vulnerability without logging into the server hosting Reviewer with administrator privileges",
          "product_ids": [
            "CSAFPID-0032"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=EDR-Log4Shell-Mitigations"
        },
        {
          "category": "mitigation",
          "details": "Customers should use an IoT/OT-aware network detection and response (NDR) solution and SIEM/SOAR solution to auto-discover and continuously monitor devices for anomalous or unauthorized behaviors, such as communication with unfamiliar local or remote hosts.",
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "PowerChute Business Edition V10.0.5 has been updated with log4j V 2.17.0 which includes a fix for these vulnerabilities and can be downloaded here: https://www.apc.com/shop/us/en/products/PowerChute-Business-Edition-v10-0-5/P-SFPCBE1005\n10.0.5 Release Notes:\nhttps://download.schneider-electric.com/files?p_File_Name=990-3029P-EN.pdf\u0026p_Doc_Ref=SPD_CCON-AT6CWT_EN\u0026p_enDocType=User+guide\nFor more information, please see this FAQ: https://www.apc.com/my/en/faqs/FAQ000229596/",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006"
          ],
          "url": "https://www.apc.com/shop/us/en/products/PowerChute-Business-Edition-v10-0-5/P-SFPCBE1005"
        },
        {
          "category": "vendor_fix",
          "details": "For PowerChute Network Shutdown customers who would like to use Dell VxRail enabled NMC cards, please update to version PCNS 4.5 or later, which includes a fix for these vulnerabilities. Otherwise, customers on PowerChute Network Shutdown versions 4.3, 4.4, and 4.4.1 should follow these remediations steps:\n\u2022Download the corresponding V4.4.1.1, 4.4.0.1,4.3.0.1 scripts and follow the instructions available athttps://www.apc.com/my/en/faqs/FAQ000229596/.\n\u2022These scripts remove the vulnerable log4j files andreplace them with log4j V2.17.1 files, which include afix for these vulnerabilities.",
          "product_ids": [
            "CSAFPID-0008",
            "CSAFPID-0009",
            "CSAFPID-0010",
            "CSAFPID-0011"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Version 1.13.2.3 of EcoStruxure\u2122 IT Gateway has been\nupdated with log4j V2.17.0, which includes a fix for these\nvulnerabilities, and is available via automatic update if\nenabled.\nUpdate manually by logging into EcoStruxureit.com, or by downloading the update directly from here: https://EcoStruxureit.com/download-and-set-up-EcoStruxurit-gateway/",
          "product_ids": [
            "CSAFPID-0013"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "The cloud-based EcoStruxure\u2122 IT Expert has been updated has been updated with log4j V2.17, which includes a fix for these vulnerabilities.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0015"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update the Facility Expert Small Business cloud application to Log4j 2.17.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0019"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Harmony Configurator has been updated with log4j V2.17, which includes a fix for these vulnerabilities.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0020"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update MSE to Log4j 2.17.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0021"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For software V5.0.1 - 5.3.x of Netbotz 750/755 there is a patch that includes a fix for this vulnerability.\nThe patch is available thru your local tech support who can be reached here: https://www.se.com/ww/en/work/support/country-selector/contact-us.jsp",
          "product_ids": [
            "CSAFPID-0022"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SDK-Docgen to Log4j 2.17.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0023"
          ]
        }
      ],
      "title": "CVE-2021-45046"
    },
    {
      "cve": "CVE-2021-45105",
      "notes": [
        {
          "category": "details",
          "text": "Log4j is an open-source Java logging library developed by the Apache Foundation which is widely used by both enterprise applications and cloud services. The recent Apache Log4j vulnerabilities are listed below and have ratings ranging from High to Critical. CVE-2021-44228 (Log4Shell), received a rating of Critical and can allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers and other JNDI related endpoints when message lookup substitution is enabled. Exploitation could allow for unauthenticated remote code execution (RCE) and possibly access to servers. Additional CVEs within the scope of this security notification:\nCVE-2021-44228\nCVE-2021-45046\nCVE-2021-45105\nCVE-2021-4104\nCVE-2021-44832\nFor more information, please visit the Apache logging services log4j security page https://logging.apache.org/log4j/2.x/security.html."
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0007",
          "CSAFPID-0012",
          "CSAFPID-0015",
          "CSAFPID-0019",
          "CSAFPID-0021",
          "CSAFPID-0022",
          "CSAFPID-0023",
          "CSAFPID-0024",
          "CSAFPID-0025",
          "CSAFPID-0026",
          "CSAFPID-0027",
          "CSAFPID-0028",
          "CSAFPID-0029",
          "CSAFPID-0031"
        ],
        "known_affected": [
          "CSAFPID-0013",
          "CSAFPID-0020"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SDK-UMS to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0024"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update Select and Config DATA to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0025"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SNC-API to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0026"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SNC-CMM to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0027"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SNC-SEMTECH to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0028"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update TwinBus IP to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0029"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update the Wiser by SE Platform to Log4j 2.17.\r\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0031"
          ],
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "mitigation",
          "details": "Customers should use an IoT/OT-aware network detection and response (NDR) solution and SIEM/SOAR solution to auto-discover and continuously monitor devices for anomalous or unauthorized behaviors, such as communication with unfamiliar local or remote hosts.",
          "restart_required": {
            "category": "none"
          }
        },
        {
          "category": "vendor_fix",
          "details": "Version 1.13.2.3 of EcoStruxure\u2122 IT Gateway has been\nupdated with log4j V2.17.0, which includes a fix for these\nvulnerabilities, and is available via automatic update if\nenabled.\nUpdate manually by logging into EcoStruxureit.com, or by downloading the update directly from here: https://EcoStruxureit.com/download-and-set-up-EcoStruxurit-gateway/",
          "product_ids": [
            "CSAFPID-0013"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "The cloud-based EcoStruxure\u2122 IT Expert has been updated has been updated with log4j V2.17, which includes a fix for these vulnerabilities.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0015"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update the Facility Expert Small Business cloud application to Log4j 2.17.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0019"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Harmony Configurator has been updated with log4j V2.17, which includes a fix for these vulnerabilities.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0020"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update MSE to Log4j 2.17.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0021"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Schneider Electric has deployed a fix to update SDK-Docgen to Log4j 2.17.\nThese fixes have been deployed automatically and require no action from customers.",
          "product_ids": [
            "CSAFPID-0023"
          ]
        }
      ],
      "title": "CVE-2021-45105"
    },
    {
      "cve": "CVE-2021-4104",
      "notes": [
        {
          "category": "details",
          "text": "Log4j is an open-source Java logging library developed by the Apache Foundation which is widely used by both enterprise applications and cloud services. The recent Apache Log4j vulnerabilities are listed below and have ratings ranging from High to Critical. CVE-2021-44228 (Log4Shell), received a rating of Critical and can allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers and other JNDI related endpoints when message lookup substitution is enabled. Exploitation could allow for unauthenticated remote code execution (RCE) and possibly access to servers. Additional CVEs within the scope of this security notification:\nCVE-2021-44228\nCVE-2021-45046\nCVE-2021-45105\nCVE-2021-4104\nCVE-2021-44832\nFor more information, please visit the Apache logging services log4j security page https://logging.apache.org/log4j/2.x/security.html."
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0008",
          "CSAFPID-0009",
          "CSAFPID-0010",
          "CSAFPID-0011",
          "CSAFPID-0013",
          "CSAFPID-0017",
          "CSAFPID-0020"
        ]
      },
      "title": "CVE-2021-4104"
    },
    {
      "cve": "CVE-2021-44832",
      "notes": [
        {
          "category": "description",
          "text": "Log4j is an open-source Java logging library developed by the Apache Foundation which is widely used by both enterprise applications and cloud services. The recent Apache Log4j vulnerabilities are listed below and have ratings ranging from High to Critical. CVE-2021-44228 (Log4Shell), received a rating of Critical and can allow an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers and other JNDI related endpoints when message lookup substitution is enabled. Exploitation could allow for unauthenticated remote code execution (RCE) and possibly access to servers. Additional CVEs within the scope of this security notification:\nCVE-2021-44228\nCVE-2021-45046\nCVE-2021-45105\nCVE-2021-4104\nCVE-2021-44832\nFor more information, please visit the Apache logging services log4j security page https://logging.apache.org/log4j/2.x/security.html."
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0008",
          "CSAFPID-0009",
          "CSAFPID-0010",
          "CSAFPID-0011",
          "CSAFPID-0013",
          "CSAFPID-0017",
          "CSAFPID-0020"
        ]
      },
      "title": "CVE-2021-44832"
    }
  ]
}

CVE-2021-45046 (GCVE-0-2021-45046)

Vulnerability from cvelistv5 – Published: 2021-12-14 16:55 – Updated: 2025-10-21 23:25

Title

Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

Summary

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Severity ?

No CVSS data available.

CWE

CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Assigner

apache

References

URL

Tags

	https://psirt.global.sonicwall.com/vuln-detail/SN…	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/alert-cve-…	x_refsource_CONFIRM
	https://www.cve.org/CVERecord?id=CVE-2021-44228	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2021/12/14/4	mailing-listx_refsource_MLIST
	https://logging.apache.org/log4j/2.x/security.html	x_refsource_CONFIRM
	https://www.kb.cert.org/vuls/id/930724	third-party-advisoryx_refsource_CERT-VN
	https://cert-portal.siemens.com/productcert/pdf/s…	x_refsource_CONFIRM
	https://www.intel.com/content/www/us/en/security-…	x_refsource_CONFIRM
	https://tools.cisco.com/security/center/content/C…	vendor-advisoryx_refsource_CISCO
	http://www.openwall.com/lists/oss-security/2021/12/15/3	mailing-listx_refsource_MLIST
	https://cert-portal.siemens.com/productcert/pdf/s…	x_refsource_CONFIRM
	https://www.debian.org/security/2021/dsa-5022	vendor-advisoryx_refsource_DEBIAN
	http://www.openwall.com/lists/oss-security/2021/12/18/1	mailing-listx_refsource_MLIST
	https://cert-portal.siemens.com/productcert/pdf/s…	x_refsource_CONFIRM
	https://cert-portal.siemens.com/productcert/pdf/s…	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC
	https://security.gentoo.org/glsa/202310-16

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Log4j	Affected: Apache Log4j2 , < 2.16.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:32:13.624Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
          },
          {
            "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://logging.apache.org/log4j/2.x/security.html"
          },
          {
            "name": "VU#930724",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/930724"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
          },
          {
            "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
          },
          {
            "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
          },
          {
            "name": "DSA-5022",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-5022"
          },
          {
            "name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
          },
          {
            "name": "FEDORA-2021-5c9d12a93e",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/"
          },
          {
            "name": "FEDORA-2021-abbe24e41c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202310-16"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-45046",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T19:31:22.638704Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2023-05-01",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:25:22.768Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2023-05-01T00:00:00+00:00",
            "value": "CVE-2021-45046 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Log4j",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.16.0",
              "status": "affected",
              "version": "Apache Log4j2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-917",
              "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-26T06:06:18.017Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
        },
        {
          "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://logging.apache.org/log4j/2.x/security.html"
        },
        {
          "name": "VU#930724",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://www.kb.cert.org/vuls/id/930724"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
        },
        {
          "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
        },
        {
          "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
        },
        {
          "name": "DSA-5022",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-5022"
        },
        {
          "name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
        },
        {
          "name": "FEDORA-2021-5c9d12a93e",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/"
        },
        {
          "name": "FEDORA-2021-abbe24e41c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "url": "https://security.gentoo.org/glsa/202310-16"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-45046",
          "STATE": "PUBLIC",
          "TITLE": "Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Log4j",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache Log4j2",
                            "version_value": "2.16.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032",
              "refsource": "CONFIRM",
              "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
            },
            {
              "name": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html",
              "refsource": "CONFIRM",
              "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
            },
            {
              "name": "https://www.cve.org/CVERecord?id=CVE-2021-44228",
              "refsource": "MISC",
              "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
            },
            {
              "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"
            },
            {
              "name": "https://logging.apache.org/log4j/2.x/security.html",
              "refsource": "CONFIRM",
              "url": "https://logging.apache.org/log4j/2.x/security.html"
            },
            {
              "name": "VU#930724",
              "refsource": "CERT-VN",
              "url": "https://www.kb.cert.org/vuls/id/930724"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
            },
            {
              "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html",
              "refsource": "CONFIRM",
              "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
            },
            {
              "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
            },
            {
              "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
            },
            {
              "name": "DSA-5022",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-5022"
            },
            {
              "name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
            },
            {
              "name": "FEDORA-2021-5c9d12a93e",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/"
            },
            {
              "name": "FEDORA-2021-abbe24e41c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-45046",
    "datePublished": "2021-12-14T16:55:09.000Z",
    "dateReserved": "2021-12-14T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:25:22.768Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-4104 (GCVE-0-2021-4104)

Vulnerability from cvelistv5 – Published: 2021-12-14 00:00 – Updated: 2024-08-03 17:16

Title

Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

Summary

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Severity ?

No CVSS data available.

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

apache

References

URL

Tags

	https://www.cve.org/CVERecord?id=CVE-2021-44228
	https://github.com/apache/logging-log4j2/pull/608…
	https://access.redhat.com/security/cve/CVE-2021-4104
	https://www.kb.cert.org/vuls/id/930724	third-party-advisory
	http://www.openwall.com/lists/oss-security/2022/01/18/3	mailing-list
	https://www.oracle.com/security-alerts/cpujan2022.html
	https://psirt.global.sonicwall.com/vuln-detail/SN…
	https://security.netapp.com/advisory/ntap-2021122…
	https://www.oracle.com/security-alerts/cpuapr2022.html
	https://www.oracle.com/security-alerts/cpujul2022.html
	https://security.gentoo.org/glsa/202209-02	vendor-advisory
	https://security.gentoo.org/glsa/202310-16	vendor-advisory
	https://security.gentoo.org/glsa/202312-02	vendor-advisory
	https://security.gentoo.org/glsa/202312-04	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Log4j 1.x	Affected: Apache Log4j 1.2 1.2.x

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:16:04.172Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
          },
          {
            "name": "VU#930724",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/930724"
          },
          {
            "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "name": "GLSA-202209-02",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202209-02"
          },
          {
            "name": "GLSA-202310-16",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202310-16"
          },
          {
            "name": "GLSA-202312-02",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202312-02"
          },
          {
            "name": "GLSA-202312-04",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202312-04"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Log4j 1.x",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Log4j 1.2 1.2.x"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-22T09:06:15.357899",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
        },
        {
          "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
        },
        {
          "name": "VU#930724",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.kb.cert.org/vuls/id/930724"
        },
        {
          "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "name": "GLSA-202209-02",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202209-02"
        },
        {
          "name": "GLSA-202310-16",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202310-16"
        },
        {
          "name": "GLSA-202312-02",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202312-02"
        },
        {
          "name": "GLSA-202312-04",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202312-04"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-4104",
    "datePublished": "2021-12-14T00:00:00",
    "dateReserved": "2021-12-13T00:00:00",
    "dateUpdated": "2024-08-03T17:16:04.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-44228 (GCVE-0-2021-44228)

Vulnerability from cvelistv5 – Published: 2021-12-10 00:00 – Updated: 2025-10-21 23:25

Title

Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Summary

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Severity ?

No CVSS data available.

CWE

CWE-502 - Deserialization of Untrusted Data
CWE-400 - Uncontrolled Resource Consumption
CWE-20 - Improper Input Validation

Assigner

apache

References

URL

Tags

	https://logging.apache.org/log4j/2.x/security.html
	http://www.openwall.com/lists/oss-security/2021/12/10/1	mailing-list
	http://www.openwall.com/lists/oss-security/2021/12/10/2	mailing-list
	https://tools.cisco.com/security/center/content/C…	vendor-advisory
	http://www.openwall.com/lists/oss-security/2021/12/10/3	mailing-list
	https://security.netapp.com/advisory/ntap-2021121…
	http://packetstormsecurity.com/files/165225/Apach…
	https://psirt.global.sonicwall.com/vuln-detail/SN…
	https://www.oracle.com/security-alerts/alert-cve-…
	https://www.debian.org/security/2021/dsa-5020	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2021…	mailing-list
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://msrc-blog.microsoft.com/2021/12/11/micros…	vendor-advisory
	http://www.openwall.com/lists/oss-security/2021/12/13/2	mailing-list
	http://www.openwall.com/lists/oss-security/2021/12/13/1	mailing-list
	http://www.openwall.com/lists/oss-security/2021/12/14/4	mailing-list
	https://tools.cisco.com/security/center/content/C…	vendor-advisory
	https://www.kb.cert.org/vuls/id/930724	third-party-advisory
	https://twitter.com/kurtseifried/status/146934553…
	https://cert-portal.siemens.com/productcert/pdf/s…
	http://packetstormsecurity.com/files/165260/VMwar…
	http://packetstormsecurity.com/files/165270/Apach…
	http://packetstormsecurity.com/files/165261/Apach…
	https://www.intel.com/content/www/us/en/security-…
	https://tools.cisco.com/security/center/content/C…	vendor-advisory
	http://www.openwall.com/lists/oss-security/2021/12/15/3	mailing-list
	http://packetstormsecurity.com/files/165282/Log4j…
	http://packetstormsecurity.com/files/165281/Log4j…
	http://packetstormsecurity.com/files/165307/Log4j…
	http://packetstormsecurity.com/files/165311/log4j…
	http://packetstormsecurity.com/files/165306/L4sh-…
	https://cert-portal.siemens.com/productcert/pdf/s…
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	http://packetstormsecurity.com/files/165371/VMwar…
	https://cert-portal.siemens.com/productcert/pdf/s…
	https://cert-portal.siemens.com/productcert/pdf/s…
	https://www.oracle.com/security-alerts/cpujan2022.html
	http://packetstormsecurity.com/files/165532/Log4S…
	https://github.com/cisagov/log4j-affected-db/blob…
	http://packetstormsecurity.com/files/165642/VMwar…
	http://packetstormsecurity.com/files/165673/UniFi…
	http://seclists.org/fulldisclosure/2022/Mar/23	mailing-list
	https://www.bentley.com/en/common-vulnerability-e…
	https://github.com/cisagov/log4j-affected-db
	https://support.apple.com/kb/HT213189
	https://www.oracle.com/security-alerts/cpuapr2022.html
	https://github.com/nu11secur1ty/CVE-mitre/tree/ma…
	https://www.nu11secur1ty.com/2021/12/cve-2021-442…
	http://seclists.org/fulldisclosure/2022/Jul/11	mailing-list
	http://packetstormsecurity.com/files/167794/Open-…
	http://packetstormsecurity.com/files/167917/Mobil…
	http://seclists.org/fulldisclosure/2022/Dec/2	mailing-list
	http://packetstormsecurity.com/files/171626/AD-Ma…

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Log4j2	Affected: 2.0-beta9 , < log4j-core* (custom)

Credits

This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:17:24.696Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://logging.apache.org/log4j/2.x/security.html"
          },
          {
            "name": "[oss-security] 20211210 CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/10/1"
          },
          {
            "name": "[oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/10/2"
          },
          {
            "name": "20211210 Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
          },
          {
            "name": "[oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/10/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211210-0007/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
          },
          {
            "name": "DSA-5020",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-5020"
          },
          {
            "name": "[debian-lts-announce] 20211212 [SECURITY] [DLA 2842-1] apache-log4j2 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"
          },
          {
            "name": "FEDORA-2021-f0f501d01f",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/"
          },
          {
            "name": "Microsoft\u2019s Response to CVE-2021-44228 Apache Log4j 2",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/"
          },
          {
            "name": "[oss-security] 20211213 Re: CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/13/2"
          },
          {
            "name": "[oss-security] 20211213 CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/13/1"
          },
          {
            "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"
          },
          {
            "name": "20211210 A Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
          },
          {
            "name": "VU#930724",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/930724"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://twitter.com/kurtseifried/status/1469345530182455296"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
          },
          {
            "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
          },
          {
            "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
          },
          {
            "name": "FEDORA-2021-66d6c484f3",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html"
          },
          {
            "name": "20220314 APPLE-SA-2022-03-14-7 Xcode 13.3",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/Mar/23"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/cisagov/log4j-affected-db"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213189"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html"
          },
          {
            "name": "20220721 Open-Xchange Security Advisory 2022-07-21",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/Jul/11"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html"
          },
          {
            "name": "20221208 Intel Data Center Manager \u003c= 5.1 Local Privileges Escalation",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/Dec/2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 10,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-44228",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T14:25:34.416117Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2021-12-10",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:25:23.121Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2021-12-10T00:00:00+00:00",
            "value": "CVE-2021-44228 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Log4j2",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.3.1",
                  "status": "unaffected"
                },
                {
                  "at": "2.4",
                  "status": "affected"
                },
                {
                  "at": "2.12.2",
                  "status": "unaffected"
                },
                {
                  "at": "2.13.0",
                  "status": "affected"
                },
                {
                  "at": "2.15.0",
                  "status": "unaffected"
                }
              ],
              "lessThan": "log4j-core*",
              "status": "affected",
              "version": "2.0-beta9",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "critical"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-03T00:00:00.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://logging.apache.org/log4j/2.x/security.html"
        },
        {
          "name": "[oss-security] 20211210 CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/10/1"
        },
        {
          "name": "[oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/10/2"
        },
        {
          "name": "20211210 Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
        },
        {
          "name": "[oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/10/3"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20211210-0007/"
        },
        {
          "url": "http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
        },
        {
          "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
        },
        {
          "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
        },
        {
          "name": "DSA-5020",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2021/dsa-5020"
        },
        {
          "name": "[debian-lts-announce] 20211212 [SECURITY] [DLA 2842-1] apache-log4j2 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"
        },
        {
          "name": "FEDORA-2021-f0f501d01f",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/"
        },
        {
          "name": "Microsoft\u2019s Response to CVE-2021-44228 Apache Log4j 2",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/"
        },
        {
          "name": "[oss-security] 20211213 Re: CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/13/2"
        },
        {
          "name": "[oss-security] 20211213 CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/13/1"
        },
        {
          "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4"
        },
        {
          "name": "20211210 A Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
        },
        {
          "name": "VU#930724",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.kb.cert.org/vuls/id/930724"
        },
        {
          "url": "https://twitter.com/kurtseifried/status/1469345530182455296"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
        },
        {
          "url": "http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html"
        },
        {
          "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
        },
        {
          "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
        },
        {
          "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3"
        },
        {
          "url": "http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
        },
        {
          "name": "FEDORA-2021-66d6c484f3",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/"
        },
        {
          "url": "http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html"
        },
        {
          "url": "https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md"
        },
        {
          "url": "http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html"
        },
        {
          "name": "20220314 APPLE-SA-2022-03-14-7 Xcode 13.3",
          "tags": [
            "mailing-list"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/Mar/23"
        },
        {
          "url": "https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001"
        },
        {
          "url": "https://github.com/cisagov/log4j-affected-db"
        },
        {
          "url": "https://support.apple.com/kb/HT213189"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228"
        },
        {
          "url": "https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html"
        },
        {
          "name": "20220721 Open-Xchange Security Advisory 2022-07-21",
          "tags": [
            "mailing-list"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/Jul/11"
        },
        {
          "url": "http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
        },
        {
          "url": "http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html"
        },
        {
          "name": "20221208 Intel Data Center Manager \u003c= 5.1 Local Privileges Escalation",
          "tags": [
            "mailing-list"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/Dec/2"
        },
        {
          "url": "http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-44228",
    "datePublished": "2021-12-10T00:00:00.000Z",
    "dateReserved": "2021-11-26T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:25:23.121Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-45105 (GCVE-0-2021-45105)

Vulnerability from cvelistv5 – Published: 2021-12-18 11:55 – Updated: 2024-08-04 04:39

Title

Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

Summary

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Severity ?

No CVSS data available.

CWE

CWE-20 - Improper Input Validation
CWE-674 - Uncontrolled Recursion

Assigner

apache

References

URL

Tags

	https://logging.apache.org/log4j/2.x/security.html	x_refsource_MISC
	https://psirt.global.sonicwall.com/vuln-detail/SN…	x_refsource_CONFIRM
	https://www.kb.cert.org/vuls/id/930724	third-party-advisoryx_refsource_CERT-VN
	https://tools.cisco.com/security/center/content/C…	vendor-advisoryx_refsource_CISCO
	http://www.openwall.com/lists/oss-security/2021/12/19/1	mailing-listx_refsource_MLIST
	https://www.debian.org/security/2021/dsa-5024	vendor-advisoryx_refsource_DEBIAN
	https://cert-portal.siemens.com/productcert/pdf/s…	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-2021121…	x_refsource_CONFIRM
	https://www.zerodayinitiative.com/advisories/ZDI-…	x_refsource_MISC
	https://cert-portal.siemens.com/productcert/pdf/s…	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Log4j2	Affected: log4j-core , < 2.17.0 (custom)

Credits

Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro’s Zero Day Initiative, and another anonymous vulnerability researcher

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:39:20.295Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://logging.apache.org/log4j/2.x/security.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
          },
          {
            "name": "VU#930724",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/930724"
          },
          {
            "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
          },
          {
            "name": "[oss-security] 20211218 CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/19/1"
          },
          {
            "name": "DSA-5024",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-5024"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211218-0001/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Log4j2",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.13.0",
                  "status": "affected"
                },
                {
                  "at": "2.12.3",
                  "status": "unaffected"
                },
                {
                  "at": "2.4",
                  "status": "affected"
                },
                {
                  "at": "2.3.1",
                  "status": "unaffected"
                },
                {
                  "at": "2.0-alpha1",
                  "status": "affected"
                }
              ],
              "lessThan": "2.17.0",
              "status": "affected",
              "version": "log4j-core",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro\u2019s Zero Day Initiative, and another anonymous vulnerability researcher"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "high"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:41:57",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://logging.apache.org/log4j/2.x/security.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
        },
        {
          "name": "VU#930724",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://www.kb.cert.org/vuls/id/930724"
        },
        {
          "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
        },
        {
          "name": "[oss-security] 20211218 CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/19/1"
        },
        {
          "name": "DSA-5024",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-5024"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20211218-0001/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "defect": [
          "LOG4J2-3230"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Apache Log4j2 does not always protect from infinite recursion in lookup evaluation",
      "workarounds": [
        {
          "lang": "en",
          "value": "Implement one of the following mitigation techniques:\n\n* Java 8 (or later) users should upgrade to release 2.17.0.\n\nAlternatively, this can be mitigated in configuration:\n\n* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC).\n* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate \nfrom sources external to the application such as HTTP headers or user input."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-45105",
          "STATE": "PUBLIC",
          "TITLE": "Apache Log4j2 does not always protect from infinite recursion in lookup evaluation"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Log4j2",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "log4j-core",
                            "version_value": "2.17.0"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "log4j-core",
                            "version_value": "2.13.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "log4j-core",
                            "version_value": "2.12.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "log4j-core",
                            "version_value": "2.4"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "log4j-core",
                            "version_value": "2.3.1"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "log4j-core",
                            "version_value": "2.0-alpha1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro\u2019s Zero Day Initiative, and another anonymous vulnerability researcher"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "high"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-674: Uncontrolled Recursion"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://logging.apache.org/log4j/2.x/security.html",
              "refsource": "MISC",
              "url": "https://logging.apache.org/log4j/2.x/security.html"
            },
            {
              "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032",
              "refsource": "CONFIRM",
              "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
            },
            {
              "name": "VU#930724",
              "refsource": "CERT-VN",
              "url": "https://www.kb.cert.org/vuls/id/930724"
            },
            {
              "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
            },
            {
              "name": "[oss-security] 20211218 CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/12/19/1"
            },
            {
              "name": "DSA-5024",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-5024"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20211218-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20211218-0001/"
            },
            {
              "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-1541/",
              "refsource": "MISC",
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "defect": [
            "LOG4J2-3230"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Implement one of the following mitigation techniques:\n\n* Java 8 (or later) users should upgrade to release 2.17.0.\n\nAlternatively, this can be mitigated in configuration:\n\n* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC).\n* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate \nfrom sources external to the application such as HTTP headers or user input."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-45105",
    "datePublished": "2021-12-18T11:55:08",
    "dateReserved": "2021-12-16T00:00:00",
    "dateUpdated": "2024-08-04T04:39:20.295Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-44832 (GCVE-0-2021-44832)

Vulnerability from cvelistv5 – Published: 2021-12-28 19:35 – Updated: 2024-08-04 04:32

Title

Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

Summary

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Severity ?

No CVSS data available.

CWE

CWE-20 - Improper Input Validation
CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

apache

References

URL

Tags

	https://tools.cisco.com/security/center/content/C…	vendor-advisoryx_refsource_CISCO
	https://lists.apache.org/thread/s1o5vlo78ypqxnzn6…	x_refsource_MISC
	https://issues.apache.org/jira/browse/LOG4J2-3293	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2021/12/28/1	mailing-listx_refsource_MLIST
	https://lists.debian.org/debian-lts-announce/2021…	mailing-listx_refsource_MLIST
	https://cert-portal.siemens.com/productcert/pdf/s…	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-2022010…	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Log4j2	Affected: log4j-core , < 2.17.1 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:32:13.076Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
          },
          {
            "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"
          },
          {
            "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"
          },
          {
            "name": "FEDORA-2021-c6f471ce0f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"
          },
          {
            "name": "FEDORA-2021-1bd9151bab",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Log4j2",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.13.0",
                  "status": "affected"
                },
                {
                  "at": "2.12.4",
                  "status": "unaffected"
                },
                {
                  "at": "2.4",
                  "status": "affected"
                },
                {
                  "at": "2.3.2",
                  "status": "unaffected"
                },
                {
                  "at": "2.0-beta7",
                  "status": "affected"
                }
              ],
              "lessThan": "2.17.1",
              "status": "affected",
              "version": "log4j-core",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:41:33",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
        },
        {
          "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"
        },
        {
          "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"
        },
        {
          "name": "FEDORA-2021-c6f471ce0f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"
        },
        {
          "name": "FEDORA-2021-1bd9151bab",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "defect": [
          "LOG4J2-3293",
          ""
        ],
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2021-12-27T00:00:00",
          "value": "reported"
        },
        {
          "lang": "en",
          "time": "2021-12-27T00:00:00",
          "value": "patch proposed, 2.17.1-rc1"
        },
        {
          "lang": "en",
          "time": "2021-12-28T00:00:00",
          "value": "fixed"
        },
        {
          "lang": "en",
          "time": "2021-12-28T00:00:00",
          "value": "public"
        }
      ],
      "title": "Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-44832",
          "STATE": "PUBLIC",
          "TITLE": "Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Log4j2",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "log4j-core",
                            "version_value": "2.17.1"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "log4j-core",
                            "version_value": "2.13.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "log4j-core",
                            "version_value": "2.12.4"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "log4j-core",
                            "version_value": "2.4"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "log4j-core",
                            "version_value": "2.3.2"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "log4j-core",
                            "version_value": "2.0-beta7"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
            },
            {
              "name": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"
            },
            {
              "name": "https://issues.apache.org/jira/browse/LOG4J2-3293",
              "refsource": "MISC",
              "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
            },
            {
              "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"
            },
            {
              "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"
            },
            {
              "name": "FEDORA-2021-c6f471ce0f",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"
            },
            {
              "name": "FEDORA-2021-1bd9151bab",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220104-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "defect": [
            "LOG4J2-3293",
            ""
          ],
          "discovery": "UNKNOWN"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2021-12-27T00:00:00",
            "value": "reported"
          },
          {
            "lang": "en",
            "time": "2021-12-27T00:00:00",
            "value": "patch proposed, 2.17.1-rc1"
          },
          {
            "lang": "en",
            "time": "2021-12-28T00:00:00",
            "value": "fixed"
          },
          {
            "lang": "en",
            "time": "2021-12-28T00:00:00",
            "value": "public"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-44832",
    "datePublished": "2021-12-28T19:35:11",
    "dateReserved": "2021-12-11T00:00:00",
    "dateUpdated": "2024-08-04T04:32:13.076Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SESB-2021-347-01

CVE-2021-45046 (GCVE-0-2021-45046)

CVE-2021-4104 (GCVE-0-2021-4104)

CVE-2021-44228 (GCVE-0-2021-44228)

CVE-2021-45105 (GCVE-0-2021-45105)

CVE-2021-44832 (GCVE-0-2021-44832)

Tags

Sightings

Nomenclature