Medium severity6.6NVD Advisory· Published Dec 28, 2021· Updated May 29, 2026
CVE-2021-44832
CVE-2021-44832
Description
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.logging.log4j:log4j-coreMaven | >= 2.0-beta7, < 2.3.2 | 2.3.2 |
org.apache.logging.log4j:log4j-coreMaven | >= 2.4, < 2.12.4 | 2.12.4 |
org.apache.logging.log4j:log4j-coreMaven | >= 2.13.0, < 2.17.1 | 2.17.1 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 1.8.0, < 1.9.2 | 1.9.2 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 1.10.0, < 1.10.9 | 1.10.9 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 1.11.0, < 1.11.13 | 1.11.13 |
org.ops4j.pax.logging:pax-logging-log4j2Maven | >= 2.0.0, < 2.0.14 | 2.0.14 |
Affected products
5- ghsa-coords4 versionspkg:maven/org.apache.logging.log4j/log4j-corepkg:maven/org.ops4j.pax.logging/pax-logging-log4j2pkg:rpm/opensuse/log4j&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/log4j&distro=openSUSE%20Leap%2015.3
>= 2.0-beta7, < 2.3.2+ 3 more
- (no CPE)range: >= 2.0-beta7, < 2.3.2
- (no CPE)range: >= 1.8.0, < 1.9.2
- (no CPE)range: < 2.17.0-lp152.3.15.1
- (no CPE)range: < 2.17.0-4.16.1
- Apache Software Foundation/Apache Log4j2v5Range: log4j-core
Patches
Vulnerability mechanics
References
20- issues.apache.org/jira/browse/LOG4J2-3293nvdIssue TrackingPatchVendor AdvisoryWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujan2022.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujul2022.htmlnvdPatchThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2021/12/28/1nvdMailing ListThird Party AdvisoryWEB
- cert-portal.siemens.com/productcert/pdf/ssa-784507.pdfnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-8489-44mv-ggj8ghsaADVISORY
- lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143nvdMailing ListVendor AdvisoryWEB
- lists.debian.org/debian-lts-announce/2021/12/msg00036.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2021-44832ghsaADVISORY
- security.netapp.com/advisory/ntap-20220104-0001/nvdThird Party Advisory
- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdnvdThird Party AdvisoryWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFCghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFCghsaWEB
- sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdghsaWEB
- security.netapp.com/advisory/ntap-20220104-0001ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/nvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/nvd
News mentions
0No linked articles in our index yet.