Log4Shell — Apache Software Foundation Log4j2 Deserialization
CVE-2021-44228
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoin…
Vulnerability class: Insecure Deserialization
EPSS: 0.944 (100.0th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Log4j2 — versions 2.0-beta9
Weakness classification (CWE)
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.
Known ransomware campaign use: yes.
Public proof-of-concept exploits
References
- logging.apache.org/log4j/2.x/security.html
- [oss-security] 20211210 CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (mailing-list)
- [oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (mailing-list)
- 20211210 Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021 (vendor-advisory)
- [oss-security] 20211210 Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (mailing-list)
- security.netapp.com/advisory/ntap-20211210-0007/
- packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution…
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- www.oracle.com/security-alerts/alert-cve-2021-44228.html
- DSA-5020 (vendor-advisory)
Frequently asked questions
- What is CVE-2021-44228?
- CVE-2021-44228 is a vulnerability in Apache Software Foundation Log4j2, classified under Deserialization of Untrusted Data. Published 2021-12-10.
- Is CVE-2021-44228 known to be exploited?
- Yes. CVE-2021-44228 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-12-10), indicating it is being actively exploited. 2269 public proof-of-concept repositories are indexed.