CVE-2021-44228

Published: 10 December 2021

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Notes

Author	Note
mdeslaur	apache-log4j1.2 contains a similar issue in a non-default configuration, and it was assigned CVE-2021-4104, see that CVE for information about apache-log4j1.2

Priority

Cvss 3 Severity Score

10.0

Score breakdown

Status

Package	Release	Status
apache-log4j2 Launchpad, Ubuntu, Debian	bionic	Released (2.10.0-2ubuntu0.1)
	focal	Released (2.15.0-0.20.04.1)
	hirsute	Released (2.15.0-0.21.04.1)
	impish	Released (2.15.0-0.21.10.1)
	jammy	Not vulnerable (2.15.0-1)
	trusty	Does not exist
	upstream	Released (2.15.0)
	xenial	Released (2.4-2ubuntu0.1~esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	Patches: upstream: https://github.com/apache/logging-log4j2/commit/c77b3cb39312b83b053d23a2158b99ac7de44dd3

Severity score breakdown

Parameter	Value
Base score	10.0
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Changed
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›