What is CVE-2021-44832?

CVE-2021-44832 is a medium-severity vulnerability in Apache Log4j, classified under Improper Input Validation. CVSS score: 6.6/10. Published 2021-12-28.

How severe is CVE-2021-44832?

Medium severity. CVSS v3 base score is 6.6 out of 10.

Is CVE-2021-44832 known to be exploited?

89 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Improper input validation in Apache Log4j

CVE-2021-44832

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an at…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.536 (98.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.6 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Apache Log4j — versions 2.0
Apache Software Foundation Log4j2 — versions log4j-core
Cisco Cloudcenter — versions 4.10.0.16
Oracle Communications_brm_-_elastic_charging_engine — versions 12.0.0.5.0
Oracle Communications_diameter_signaling_router
Oracle Communications_interactive_session_recorder — versions 6.3, 6.4
Oracle Communications_offline_mediation_controller — versions 12.0.0.5.0
Oracle Flexcube_private_banking — versions 12.1.0
Oracle Health_sciences_data_management_workbench — versions 2.5.2.1, 3.0.0.0, 3.1.0.3
Oracle Policy_automation

Weakness classification (CWE)

Public proof-of-concept exploits

References

security@apache.org (x_refsource_CISCO, vendor-advisory, Third Party Advisory)
security@apache.org (Mailing List, x_refsource_MISC, Vendor Advisory)
security@apache.org (Patch, x_refsource_MISC, Issue Tracking, Vendor Advisory)
security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
security@apache.org (x_refsource_CONFIRM, Third Party Advisory)
security@apache.org (x_refsource_FEDORA, vendor-advisory)
security@apache.org (x_refsource_FEDORA, vendor-advisory)
security@apache.org (Patch, Third Party Advisory, x_refsource_MISC)
security@apache.org (x_refsource_CONFIRM, Third Party Advisory)

Frequently asked questions

What is CVE-2021-44832?: CVE-2021-44832 is a medium-severity vulnerability in Apache Log4j, classified under Improper Input Validation. CVSS score: 6.6/10. Published 2021-12-28.
How severe is CVE-2021-44832?: Medium severity. CVSS v3 base score is 6.6 out of 10.
Is CVE-2021-44832 known to be exploited?: 89 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.