{"id":"CVE-2021-44832","details":"Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.","aliases":["GHSA-8489-44mv-ggj8"],"modified":"2026-04-16T00:06:12.470359703Z","published":"2021-12-28T20:15:08.400Z","related":["openSUSE-SU-2021:4208-1","openSUSE-SU-2022:0002-1","openSUSE-SU-2024:11702-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/12/28/1"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"},{"type":"ADVISORY","url":"https://issues.apache.org/jira/browse/LOG4J2-3293"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220104-0001/"},{"type":"ADVISORY","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"REPORT","url":"https://issues.apache.org/jira/browse/LOG4J2-3293"},{"type":"FIX","url":"https://issues.apache.org/jira/browse/LOG4J2-3293"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2021/12/28/1"},{"type":"ARTICLE","url":"https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/logging-log4j2","events":[{"introduced":"383a8194acab4a740d22b69c023ca3af6cb9c664"},{"fixed":"f954f1a04868f7bde3aee93775bdab5ad9515bdd"},{"introduced":"9dcb1823a0a0192f2016daf7c1445ddfb3435fbf"},{"fixed":"11dafda0c43eb31cca67f3b0ed0ca9b81780db76"},{"introduced":"d943d2d580e37c400d8cebebd3c7e7634d670302"},{"fixed":"dfc35cfb8bdbda7043439ac7027edfa2d400b5c2"}]}],"versions":["log4j-2.10-rc1","log4j-2.10.0","log4j-2.11.0","log4j-2.11.0-rc1","log4j-2.11.1","log4j-2.11.1-rc1","log4j-2.11.2","log4j-2.11.2-rc1","log4j-2.11.2-rc2","log4j-2.11.2-rc3","log4j-2.12.0","log4j-2.12.0-rc1","log4j-2.12.0-rc2","log4j-2.12.1","log4j-2.12.1-rc1","log4j-2.12.2-rc1","log4j-2.12.3-rc1","log4j-2.12.4-rc1","log4j-2.13.0-rc1","log4j-2.13.0-rc2","log4j-2.13.1","log4j-2.13.1-rc1","log4j-2.13.1-rc2","log4j-2.13.2","log4j-2.13.2-rc1","log4j-2.13.3","log4j-2.13.3-rc1","log4j-2.14.0-rc1","log4j-2.14.1-rc1","log4j-2.15.0-rc1","log4j-2.15.0-rc2","log4j-2.15.1-rc1","log4j-2.16.0-rc1","log4j-2.17.0-rc1","log4j-2.4","log4j-2.4.1","log4j-2.5","log4j-2.5-rc1","log4j-2.6","log4j-2.6-rc1","log4j-2.6.1","log4j-2.6.1-rc1","log4j-2.6.2","log4j-2.6.2-rc1","log4j-2.7","log4j-2.7-rc1","log4j-2.7-rc2","log4j-2.8","log4j-2.8-rc1","log4j-2.8.1","log4j-2.8.1-rc1","log4j-2.8.2","log4j-2.8.2-rc1","log4j-2.9-rc1","log4j-2.9.0","log4j-2.9.1-rc1","rel/2.10.0","rel/2.11.0","rel/2.11.1","rel/2.11.2","rel/2.12.0","rel/2.12.1","rel/2.12.2","rel/2.12.3","rel/2.12.4","rel/2.13.0","rel/2.13.1","rel/2.13.2","rel/2.13.3","rel/2.14.0","rel/2.14.1","rel/2.15.0","rel/2.16.0","rel/2.17.0","rel/2.4","rel/2.4.1","rel/2.5","rel/2.6","rel/2.6.1","rel/2.6.2","rel/2.7","rel/2.8","rel/2.8.1","rel/2.8.2","rel/2.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-44832.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}