CVE-2021-44832

Published: Dic 28, 2021 Last Modified: Nov 21, 2024
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,6
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: high
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
HIGH 8,5
Source: [email protected]
Access Vector: network
Access Complexity: medium
Authentication: single
Confidentiality: complete
Integrity: complete
Availability: complete

Description

AI Translation Available

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,5277
Percentile
1,0th
Updated

EPSS Score Trend (Last 90 Days)

20

Improper Input Validation

Stable
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Confidentiality Integrity
Potential Impacts:
Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Read Memory Read Files Or Directories Modify Memory Execute Unauthorized Code Or Commands
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Access Control Other Integrity Non-Repudiation
Potential Impacts:
Read Application Data Bypass Protection Mechanism Alter Execution Logic Other Hide Activities
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
Application

Weblogic Server by Oracle

Product Information
Vendor Oracle
Product Weblogic Server
Version 14.1.1.0.0
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 19.0.2
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Order Broker by Oracle

Product Information
Vendor Oracle
Product Retail Order Broker
Version 18.0
cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 21.0.1
cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Log4J by Apache

Product Information
Vendor Apache
Product Log4J
Version Range Affected
From 2.4 (inclusive)
To 2.12.4 (exclusive)
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera Unifier by Oracle

Product Information
Vendor Oracle
Product Primavera Unifier
Version 19.12
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera Gateway by Oracle

Product Information
Vendor Oracle
Product Primavera Gateway
Version 21.12.0
cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Log4J by Apache

Product Information
Vendor Apache
Product Log4J
Version 2.0
cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Flexcube Private Banking by Oracle

Product Information
Vendor Oracle
Product Flexcube Private Banking
Version 12.1.0
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera Unifier by Oracle

Product Information
Vendor Oracle
Product Primavera Unifier
Version 18.8
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera Unifier by Oracle

Product Information
Vendor Oracle
Product Primavera Unifier
Version 20.12
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera Gateway by Oracle

Product Information
Vendor Oracle
Product Primavera Gateway
Version Range Affected
From 19.12.0 (inclusive)
To 19.12.12 (inclusive)
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera P6 Enterprise Project Portfolio Management by Oracle

Product Information
Vendor Oracle
Product Primavera P6 Enterprise Project Portfolio Management
Version 21.12.0.0
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Interactive Session Recorder by Oracle

Product Information
Vendor Oracle
Product Communications Interactive Session Recorder
Version 6.3
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Assortment Planning by Oracle

Product Information
Vendor Oracle
Product Retail Assortment Planning
Version 16.0.3
cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 18.0.3
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Weblogic Server by Oracle

Product Information
Vendor Oracle
Product Weblogic Server
Version 12.2.1.4.0
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Log4J by Apache

Product Information
Vendor Apache
Product Log4J
Version 2.0
cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Offline Mediation Controller by Oracle

Product Information
Vendor Oracle
Product Communications Offline Mediation Controller
Version 12.0.0.5.0
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Offline Mediation Controller by Oracle

Product Information
Vendor Oracle
Product Communications Offline Mediation Controller
Version Range Affected
To 12.0.0.4.4 (exclusive)
cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera P6 Enterprise Project Portfolio Management by Oracle

Product Information
Vendor Oracle
Product Primavera P6 Enterprise Project Portfolio Management
Version Range Affected
From 20.12.0.0 (inclusive)
To 20.12.12.0 (inclusive)
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Cloudcenter by Cisco

Product Information
Vendor Cisco
Product Cloudcenter
Version 4.10.0.16
cpe:2.3:a:cisco:cloudcenter:4.10.0.16:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Brm - Elastic Charging Engine by Oracle

Product Information
Vendor Oracle
Product Communications Brm - Elastic Charging Engine
Version Range Affected
To 12.0.0.4.6 (exclusive)
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Health Sciences Data Management Workbench by Oracle

Product Information
Vendor Oracle
Product Health Sciences Data Management Workbench
Version 3.0.0.0
cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Product Lifecycle Analytics by Oracle

Product Information
Vendor Oracle
Product Product Lifecycle Analytics
Version 3.6.1
cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Fedora by Fedoraproject

Product Information
Vendor Fedoraproject
Product Fedora
Version 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Diameter Signaling Router by Oracle

Product Information
Vendor Oracle
Product Communications Diameter Signaling Router
Version Range Affected
From 8.0.0.0 (inclusive)
To 8.5.1.0 (inclusive)
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Siebel Ui Framework by Oracle

Product Information
Vendor Oracle
Product Siebel Ui Framework
Version Range Affected
To 21.12 (inclusive)
cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera Gateway by Oracle

Product Information
Vendor Oracle
Product Primavera Gateway
Version Range Affected
From 17.12.0 (inclusive)
To 17.12.11 (inclusive)
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Siebel Ui Framework by Oracle

Product Information
Vendor Oracle
Product Siebel Ui Framework
Version 21.12
cpe:2.3:a:oracle:siebel_ui_framework:21.12:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Policy Automation For Mobile Devices by Oracle

Product Information
Vendor Oracle
Product Policy Automation For Mobile Devices
Version Range Affected
From 12.2.0 (inclusive)
To 12.2.24 (inclusive)
cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Fiscal Management by Oracle

Product Information
Vendor Oracle
Product Retail Fiscal Management
Version 14.2
cpe:2.3:a:oracle:retail_fiscal_management:14.2:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera Gateway by Oracle

Product Information
Vendor Oracle
Product Primavera Gateway
Version Range Affected
From 18.8.0 (inclusive)
To 18.8.13 (inclusive)
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera P6 Enterprise Project Portfolio Management by Oracle

Product Information
Vendor Oracle
Product Primavera P6 Enterprise Project Portfolio Management
Version Range Affected
From 19.12.0 (inclusive)
To 19.12.18.0 (inclusive)
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 20.0.1
cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Fedora by Fedoraproject

Product Information
Vendor Fedoraproject
Product Fedora
Version 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera P6 Enterprise Project Portfolio Management by Oracle

Product Information
Vendor Oracle
Product Primavera P6 Enterprise Project Portfolio Management
Version Range Affected
From 19.12.0.0 (inclusive)
To 19.12.18.0 (inclusive)
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Log4J by Apache

Product Information
Vendor Apache
Product Log4J
Version 2.0
cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Order Broker by Oracle

Product Information
Vendor Oracle
Product Retail Order Broker
Version 19.1
cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Log4J by Apache

Product Information
Vendor Apache
Product Log4J
Version Range Affected
From 2.13.0 (inclusive)
To 2.17.1 (exclusive)
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Log4J by Apache

Product Information
Vendor Apache
Product Log4J
Version 2.0
cpe:2.3:a:apache:log4j:2.0:beta8:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Xstore Point Of Service by Oracle

Product Information
Vendor Oracle
Product Retail Xstore Point Of Service
Version 17.0.4
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Debian Linux by Debian

Product Information
Vendor Debian
Product Debian Linux
Version 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Log4J by Apache

Product Information
Vendor Apache
Product Log4J
Version Range Affected
From 2.0.1 (inclusive)
To 2.3.2 (exclusive)
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera Gateway by Oracle

Product Information
Vendor Oracle
Product Primavera Gateway
Version Range Affected
From 20.12.0 (inclusive)
To 20.12.7 (inclusive)
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Health Sciences Data Management Workbench by Oracle

Product Information
Vendor Oracle
Product Health Sciences Data Management Workbench
Version 2.5.2.1
cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Interactive Session Recorder by Oracle

Product Information
Vendor Oracle
Product Communications Interactive Session Recorder
Version 6.4
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Primavera Unifier by Oracle

Product Information
Vendor Oracle
Product Primavera Unifier
Version 21.12
cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Log4J by Apache

Product Information
Vendor Apache
Product Log4J
Version 2.0
cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Weblogic Server by Oracle

Product Information
Vendor Oracle
Product Weblogic Server
Version 12.2.1.3.0
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Policy Automation by Oracle

Product Information
Vendor Oracle
Product Policy Automation
Version Range Affected
From 12.2.0 (inclusive)
To 12.2.24 (inclusive)
cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Health Sciences Data Management Workbench by Oracle

Product Information
Vendor Oracle
Product Health Sciences Data Management Workbench
Version 3.1.0.3
cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.1.0.3:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Diameter Signaling Router by Oracle

Product Information
Vendor Oracle
Product Communications Diameter Signaling Router
Version Range Affected
From 8.3.0.0 (inclusive)
To 8.5.1.0 (inclusive)
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Log4J by Apache

Product Information
Vendor Apache
Product Log4J
Version 2.0
cpe:2.3:a:apache:log4j:2.0:beta7:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Communications Brm - Elastic Charging Engine by Oracle

Product Information
Vendor Oracle
Product Communications Brm - Elastic Charging Engine
Version 12.0.0.5.0
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.…
Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
https://issues.apache.org/jira/browse/LOG4J2-3293
Issue Tracking Patch Vendor Advisory
https://issues.apache.org/jira/browse/LOG4J2-3293
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9sht…
Mailing List Vendor Advisory
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
https://lists.debian.org/debian-lts-announce/2021/12/msg000…
Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://security.netapp.com/advisory/ntap-20220104-0001/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220104-0001/
https://tools.cisco.com/security/center/content/CiscoSecuri…
Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-…
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
http://www.openwall.com/lists/oss-security/2021/12/28/1
Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/28/1
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.…
Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
https://issues.apache.org/jira/browse/LOG4J2-3293
Issue Tracking Patch Vendor Advisory
https://issues.apache.org/jira/browse/LOG4J2-3293
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9sht…
Mailing List Vendor Advisory
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
https://lists.debian.org/debian-lts-announce/2021/12/msg000…
Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://security.netapp.com/advisory/ntap-20220104-0001/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220104-0001/
https://tools.cisco.com/security/center/content/CiscoSecuri…
Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-…
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
http://www.openwall.com/lists/oss-security/2021/12/28/1
Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/28/1