Bug#1002813: apache-log4j2: CVE-2021-44832: remote code execution via JDBC Appender
Salvatore Bonaccorso
carnil at debian.org
Wed Dec 29 08:12:01 GMT 2021
Source: apache-log4j2
Version: 2.17.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3293
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 2.17.0-1~deb11u1
Control: found -1 2.17.0-1~deb10u1
Control: found -1 2.12.3-0+deb9u1
Hi,
The following vulnerability was published for apache-log4j2, which is
fixed in 2.17.1 and the security releases 2.12.4 and 2.3.2.
CVE-2021-44832[0]:
| Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security
| fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code
| execution (RCE) attack where an attacker with permission to modify the
| logging configuration file can construct a malicious configuration
| using a JDBC Appender with a data source referencing a JNDI URI which
| can execute remote code. This issue is fixed by limiting JNDI data
| source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4,
| and 2.3.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-44832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
[1] https://issues.apache.org/jira/browse/LOG4J2-3293
[2] https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list