Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration
Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable to RCE via JDBC Appender when an attacker controls the logging configuration and a malicious LDAP server.
Vulnerability
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI [2][4]. The vulnerability arises because the JDBC Appender does not restrict the protocol used in JNDI data source names, allowing an attacker to specify an LDAP URI that points to a malicious LDAP server [4].
Exploitation
An attacker must have permission to modify the Log4j2 logging configuration file [4]. With that access, the attacker can construct a malicious configuration that includes a JDBC Appender with a data source referencing a JNDI LDAP URI. When the application processes the configuration, Log4j2 will connect to the attacker-controlled LDAP server, which can return a serialized Java object that leads to remote code execution [4].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the target system with the privileges of the application using Log4j2 [2][4]. This can lead to full compromise of the affected system, including data exfiltration, installation of malware, or further lateral movement within the network.
Mitigation
The issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2 [2][4]. Users should upgrade to these versions or later. If upgrading is not immediately possible, ensure that logging configuration files are protected from unauthorized modification [4]. No workaround is available that does not involve upgrading or restricting configuration file access.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.logging.log4j:log4j-coreMaven | >= 2.0-beta7, < 2.3.2 | 2.3.2 |
org.apache.logging.log4j:log4j-coreMaven | >= 2.4, < 2.12.4 | 2.12.4 |
org.apache.logging.log4j:log4j-coreMaven | >= 2.13.0, < 2.17.1 | 2.17.1 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 1.8.0, < 1.9.2 | 1.9.2 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 1.10.0, < 1.10.9 | 1.10.9 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 1.11.0, < 1.11.13 | 1.11.13 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 2.0.0, < 2.0.14 | 2.0.14 |
Affected products
3- ghsa-coords2 versions
>= 2.0-beta7, < 2.3.2+ 1 more
- (no CPE)range: >= 2.0-beta7, < 2.3.2
- (no CPE)range: >= 1.8.0, < 1.9.2
- Apache Software Foundation/Apache Log4j2v5Range: log4j-core
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- github.com/advisories/GHSA-8489-44mv-ggj8ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-44832ghsaADVISORY
- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdmitrevendor-advisoryx_refsource_CISCO
- www.openwall.com/lists/oss-security/2021/12/28/1ghsamailing-listx_refsource_MLISTWEB
- cert-portal.siemens.com/productcert/pdf/ssa-784507.pdfghsax_refsource_CONFIRMWEB
- issues.apache.org/jira/browse/LOG4J2-3293ghsax_refsource_MISCWEB
- lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2021/12/msg00036.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFCghsaWEB
- sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdghsaWEB
- security.netapp.com/advisory/ntap-20220104-0001ghsaWEB
- security.netapp.com/advisory/ntap-20220104-0001/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.