CVE-2021-44832

CVE Database · CVE-2021-44832

CVE-2021-44832

· MEDIUMModified

CVSS v3.1

6.6

EPSS

98.08%

Published

Dec 28, 2021

Modified

May 29, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-20CWE-74CWE-20

Affected Products (71)

apache · log4j (up to 2.3.2)vulnerable

apache · log4j (up to 2.12.4)vulnerable

apache · log4j (up to 2.17.1)vulnerable

apache · log4jvulnerable

oracle · communications_diameter_signaling_router

References (20)

http://www.openwall.com/lists/oss-security/2021/12/28/1

Mailing ListThird Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf

Third Party Advisory

https://issues.apache.org/jira/browse/LOG4J2-3293

Issue TrackingPatchVendor Advisory

https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143

Mailing ListVendor Advisory

https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html

Mailing ListThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs

oracle · communications_interactive_session_recordervulnerable

oracle · primavera_gatewayvulnerable

oracle · primavera_p6_enterprise_project_portfolio_managementvulnerable

oracle · primavera_unifiervulnerable

oracle · retail_assortment_planningvulnerable

oracle · retail_fiscal_managementvulnerable

oracle · siebel_ui_frameworkvulnerable

oracle · weblogic_servervulnerable

cisco · cloudcentervulnerable

fedoraproject · fedoravulnerable

debian · debian_linuxvulnerable

oracle · communications_brm_-_elastic_charging_engine (up to 12.0.0.4.6)vulnerable

oracle · communications_brm_-_elastic_charging_enginevulnerable

oracle · communications_diameter_signaling_routervulnerable

oracle · communications_interactive_session_recordervulnerable

oracle · communications_offline_mediation_controller (up to 12.0.0.4.4)vulnerable

oracle · communications_offline_mediation_controllervulnerable

oracle · flexcube_private_bankingvulnerable

oracle · health_sciences_data_management_workbenchvulnerable

oracle · policy_automationvulnerable

oracle · policy_automation_for_mobile_devicesvulnerable

oracle · primavera_gatewayvulnerable

https://issues.apache.org/jira/browse/LOG4J2-3293

Issue TrackingPatchVendor Advisory