DescriptionApache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2842-1, DSA-5020-1
NVD severityhigh
Debian Bugs1001478

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache-log4j1.2 (PTS)stretch (security), stretch1.2.17-7+deb9u1fixed
buster, buster (security)1.2.17-8+deb10u1fixed
bookworm, sid, bullseye1.2.17-10fixed
apache-log4j2 (PTS)stretch2.7-2vulnerable
stretch (security)2.12.4-0+deb9u1fixed
buster (security)2.17.0-1~deb10u1fixed
bullseye (security)2.17.0-1~deb11u1fixed
bookworm, sid2.17.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache-log4j1.2source(unstable)(not affected)


- apache-log4j1.2 <not-affected> (Vulnerable code not present)
The lookup is performed *after* formatting the message, which includes the user input. Hence
the vulnerability can still be triggered using a ParametrizedMessage.

Search for package or bug name: Reporting problems