CVE-2021-44228

NameCVE-2021-44228
DescriptionApache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2842-1, DSA-5020-1
NVD severityhigh
Debian Bugs1001478

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache-log4j1.2 (PTS)stretch (security), stretch1.2.17-7+deb9u1fixed
buster, buster (security)1.2.17-8+deb10u1fixed
bookworm, sid, bullseye1.2.17-10fixed
apache-log4j2 (PTS)stretch2.7-2vulnerable
stretch (security)2.12.4-0+deb9u1fixed
buster2.11.1-2vulnerable
buster (security)2.17.0-1~deb10u1fixed
bullseye2.16.0-1~deb11u1fixed
bullseye (security)2.17.0-1~deb11u1fixed
bookworm, sid2.17.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache-log4j1.2source(unstable)(not affected)
apache-log4j2sourcestretch2.7-2+deb9u1DLA-2842-1
apache-log4j2sourcebuster2.15.0-1~deb10u1DSA-5020-1
apache-log4j2sourcebullseye2.15.0-1~deb11u1DSA-5020-1
apache-log4j2source(unstable)2.15.0-11001478

Notes

- apache-log4j1.2 <not-affected> (Vulnerable code not present)
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
https://github.com/apache/logging-log4j2/pull/608
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://issues.apache.org/jira/browse/LOG4J2-3198
https://github.com/apache/logging-log4j2/commit/c77b3cb39312b83b053d23a2158b99ac7de44dd3
The lookup is performed *after* formatting the message, which includes the user input. Hence
the vulnerability can still be triggered using a ParametrizedMessage.

Search for package or bug name: Reporting problems