CVE-2021-44832 vulnerability in Apache and Other Products
Published on December 28, 2021

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Github Repository Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2021-44832 is exploitable with network access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 0.7 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Products Associated with CVE-2021-44832

You can be notified by stack.watch whenever vulnerabilities like CVE-2021-44832 are published in these products:

Apache Log4j

Canonical Ubuntu Linux

Oracle Weblogic Server

Oracle Primavera Unifier

Oracle Communications Interactive Session Recorder

Oracle Primavera Gateway

Oracle Communications Diameter Signaling Router

Oracle Primavera P6 Enterprise Project Portfolio Management

Oracle Retail Assortment Planning

Oracle Retail Fiscal Management

Oracle Siebel Ui Framework

Cisco Cloudcenter

Fedora Project Fedora

Debian Linux

Oracle Flexcube Private Banking

Oracle Retail Order Broker

Oracle Retail Xstore Point Of Service

Oracle Policy Automation

Oracle Product Lifecycle Analytics

Oracle Policy Automation Mobile Devices

Oracle Health Sciences Data Management Workbench

Oracle Communications Brm Elastic Charging Engine

Oracle Communications Offline Mediation Controller

What versions are vulnerable to CVE-2021-44832?

Apache Log4j Version 2.0 rc1
Apache Log4j Version 2.0 beta9
Apache Log4j Version 2.0 rc2
Apache Log4j Version 2.0 beta8
Apache Log4j Version 2.0 beta7
Apache Log4j Version 2.0 -
Apache Log4j Version 2.13.0 Fixed in Version 2.17.1
Apache Log4j Version 2.4 Fixed in Version 2.12.4
Apache Log4j Version 2.0.1 Fixed in Version 2.3.2

Oracle Weblogic Server Version 12.2.1.3.0
Oracle Primavera Unifier Version 18.8
Oracle Weblogic Server Version 12.2.1.4.0
Oracle Primavera Unifier Version 19.12
Oracle Weblogic Server Version 14.1.1.0.0
Oracle Primavera Unifier Version 20.12
Oracle Communications Interactive Session Recorder Version 6.3
Oracle Communications Interactive Session Recorder Version 6.4
Oracle Primavera Gateway Version 17.12.0 through 17.12.11
Oracle Primavera Gateway Version 20.12.0 through 20.12.7
Oracle Retail Assortment Planning Version 16.0.3
Oracle Primavera Unifier Version 21.12
Oracle Primavera P6 Enterprise Project Portfolio Management Version 21.12.0.0
Oracle Primavera P6 Enterprise Project Portfolio Management Version 20.12.0.0 through 20.12.12.0
Oracle Primavera Gateway Version 21.12.0
Oracle Primavera Gateway Version 19.12.0 through 19.12.12
Oracle Primavera Gateway Version 18.8.0 through 18.8.13
Oracle Retail Fiscal Management Version 14.2
Oracle Primavera P6 Enterprise Project Portfolio Management Version 19.12.0 through 19.12.18.0
Oracle Siebel Ui Framework Version 21.12
Oracle Communications Diameter Signaling Router Version 8.0.0.0 through 8.5.1.0

Cisco Cloudcenter Version 4.10.0.16

Fedora Project Fedora Version 34
Fedora Project Fedora Version 35

Debian Linux Version 9.0

Oracle Flexcube Private Banking Version 12.1.0
Oracle Weblogic Server Version 12.2.1.3.0
Oracle Primavera Unifier Version 18.8
Oracle Weblogic Server Version 12.2.1.4.0
Oracle Primavera Unifier Version 19.12
Oracle Weblogic Server Version 14.1.1.0.0
Oracle Primavera Unifier Version 20.12
Oracle Retail Order Broker Version 18.0
Oracle Communications Interactive Session Recorder Version 6.3
Oracle Communications Interactive Session Recorder Version 6.4
Oracle Primavera Gateway Version 17.12.0 through 17.12.11
Oracle Primavera Gateway Version 20.12.0 through 20.12.7
Oracle Primavera Unifier Version 21.12
Oracle Siebel Ui Framework Up to Version 21.12
Oracle Primavera P6 Enterprise Project Portfolio Management Version 21.12.0.0
Oracle Primavera P6 Enterprise Project Portfolio Management Version 20.12.0.0 through 20.12.12.0
Oracle Primavera P6 Enterprise Project Portfolio Management Version 19.12.0.0 through 19.12.18.0
Oracle Primavera Gateway Version 21.12.0
Oracle Primavera Gateway Version 19.12.0 through 19.12.12
Oracle Primavera Gateway Version 18.8.0 through 18.8.13
Oracle Communications Diameter Signaling Router Version 8.3.0.0 through 8.5.1.0
Oracle Retail Xstore Point Of Service Version 17.0.4
Oracle Retail Xstore Point Of Service Version 18.0.3
Oracle Retail Xstore Point Of Service Version 19.0.2
Oracle Retail Xstore Point Of Service Version 20.0.1
Oracle Retail Order Broker Version 19.1
Oracle Policy Automation Version 12.2.0 through 12.2.24
Oracle Product Lifecycle Analytics Version 3.6.1
Oracle Retail Xstore Point Of Service Version 21.0.1
Oracle Policy Automation Mobile Devices Version 12.2.0 through 12.2.24
Oracle Health Sciences Data Management Workbench Version 3.0.0.0
Oracle Health Sciences Data Management Workbench Version 3.1.0.3
Oracle Health Sciences Data Management Workbench Version 2.5.2.1
Oracle Communications Brm Elastic Charging Engine Version 12.0.0.5.0
Oracle Communications Offline Mediation Controller Version 12.0.0.5.0
Oracle Communications Offline Mediation Controller Fixed in Version 12.0.0.4.4
Oracle Communications Brm Elastic Charging Engine Fixed in Version 12.0.0.4.6

Vulnerable Packages

The following package name and versions may be associated with CVE-2021-44832