CVE-2021-44832
apache-log4j2 - security update
6.6
MEDIUM
CVSS 3.1
EPSS 53.6%
Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
How to fix CVE-2021-44832
To remediate CVE-2021-44832, upgrade the affected package to a fixed version below.
- —upgrade to 2.17.1-1~deb11u1 or later
- —upgrade to 2.12.4-0+deb9u1 or later
- —upgrade to 2.3.2 or later
- —upgrade to 1.9.2 or later
Is CVE-2021-44832 being exploited?
Likely — EPSS is 53.6%, placing CVE-2021-44832 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (4)
- from 0, < 2.17.1-1~deb11u1
- from 0, < 2.12.4-0+deb9u1
- >= 2.0-beta7, < 2.3.2
- >= 1.8.0, < 1.9.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.6 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |