Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Related CPE's
a
apache
log4j
a
oracle
communications_diameter_signaling_router
a
oracle
communications_interactive_session_recorder
a
oracle
primavera_gateway
a
oracle
primavera_p6_enterprise_project_portfolio_management
a
oracle
primavera_unifier
a
oracle
siebel_ui_framework
a
oracle
weblogic_server
o
fedoraproject
fedora
a
oracle
communications_brm_-_elastic_charging_engine
a
oracle
communications_offline_mediation_controller
a
oracle
health_sciences_data_management_workbench
a
oracle
retail_order_broker
a
oracle
retail_xstore_point_of_service
References
http://www.openwall.com/lists/oss-security/2021/12/28/1
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
https://issues.apache.org/jira/browse/LOG4J2-3293
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
https://security.netapp.com/advisory/ntap-20220104-0001/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
CVSS impact metrics
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
6.6 · Medium
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Modified
Published
2021-12-28T20:15:08.400
3 years agoLast modified
2023-11-07T03:39:43.957
1 year ago