CVE-2021-44832
6.6 MEDIUMApache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execut...
Published: 2021-12-28 · Last updated: 2026-05-29
Severity and scoring
- CVSS
- 6.6 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-20, CWE-74
Affected products
| Vendor | Product |
|---|---|
| apache | cloudcenter, communications_brm_-_elastic_charging_engine, communications_diameter_signaling_router |
| cisco | cloudcenter, communications_brm_-_elastic_charging_engine, communications_diameter_signaling_router |
| debian | cloudcenter, communications_brm_-_elastic_charging_engine, communications_diameter_signaling_router |
| fedoraproject | cloudcenter, communications_brm_-_elastic_charging_engine, communications_diameter_signaling_router |
| oracle | cloudcenter, communications_brm_-_elastic_charging_engine, communications_diameter_signaling_router |
Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-44832
- [Other]http://www.openwall.com/lists/oss-security/2021/12/28/1
- [Other]https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
- [Patch]https://issues.apache.org/jira/browse/LOG4J2-3293
- [Vendor advisory]https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
- [Other]https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
- [Other]https://security.netapp.com/advisory/ntap-20220104-0001/
- [Other]https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- [Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
- [Other]http://www.openwall.com/lists/oss-security/2021/12/28/1
- [Other]https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
- [Patch]https://issues.apache.org/jira/browse/LOG4J2-3293
- [Vendor advisory]https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
- [Other]https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
- [Other]https://security.netapp.com/advisory/ntap-20220104-0001/
- [Other]https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- [Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
Related CVEs
Same vendor
- CVE-2026-20262 — A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to... (6.5 MEDIUM)
- CVE-2026-50645 — There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can l... (7.5 HIGH)
- CVE-2026-50634 — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticate... (6.5 MEDIUM)
- CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)
- CVE-2026-50632 — A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been ide... (8.1 HIGH)
Same CWE
- CVE-2026-12223 — A vulnerability was identified in Yealink SIP-T46U 108.86.0.118 (5.5 MEDIUM)
- CVE-2026-12219 — A flaw has been found in Yealink SIP-T46U 108.86.0.118 (6.3 MEDIUM)
- CVE-2026-12206 — A vulnerability was identified in Grit42 Grit up to 0.11.0 (6.3 MEDIUM)
- CVE-2026-12197 — A security flaw has been discovered in Ruijie EG105G-P 2.340 (7.2 HIGH)
- CVE-2026-12191 — A vulnerability was found in Comma AI Openpilot 0.11 (7.8 HIGH)