Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/12/28/1
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
https://issues.apache.org/jira/browse/LOG4J2-3293
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
https://security.netapp.com/advisory/ntap-20220104-0001/
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
Related Vulnerabilities
CVE-2020-7768 Vulnerability in npm package @grpc/grpc-js
CVE-2021-21166 Vulnerability in npm package electron
CVE-2019-8331 Vulnerability in maven package org.fujion.webjars:bootstrap
CVE-2020-6464 Vulnerability in maven package org.webjars.npm:electron
CVE-2017-12612 Vulnerability in maven package org.apache.spark:spark-core_2.11