Apache Log4j2 is vulnerable to RCE via JDBC Appender when an attacker controls configuration

by CIRT Team

CVE-2021-44832 (CVSS score: 6.6 MEDIUM) – Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE)
attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI
which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Mitigations:
Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
Reference: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832

Reference URL’s:
https://logging.apache.org/log4j/2.x/
https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-44832

Published: 30 December 2021, 11:42:09 BST

CIRT Team