CVE-2021-44832

NameCVE-2021-44832
DescriptionApache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2870-1
Debian Bugs1002813

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache-log4j2 (PTS)buster2.17.1-1~deb10u1fixed
buster (security)2.17.0-1~deb10u1vulnerable
bullseye2.17.1-1~deb11u1fixed
bullseye (security)2.17.0-1~deb11u1vulnerable
sid, trixie, bookworm2.19.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache-log4j2sourcestretch2.12.4-0+deb9u1DLA-2870-1
apache-log4j2sourcebuster2.17.1-1~deb10u1
apache-log4j2sourcebullseye2.17.1-1~deb11u1
apache-log4j2source(unstable)2.17.1-11002813

Notes

https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832
https://issues.apache.org/jira/browse/LOG4J2-3293
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16 (log4j-2.17.1-rc1)
Fixed in 2.17.1, 2.12.4 and 2.3.2
Search for package or bug name: Reporting problems