CVE-2021-44832
Remote Code Execution vulnerability in org.apache.logging.log4j:log4j-core
What is CVE-2021-44832 About?
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to remote code execution. This occurs when an attacker with permission to modify the logging configuration file crafts a malicious JDBC Appender data source referencing a JNDI URI. Exploitation success is moderate as it requires control over the logging configuration.
Affected Software
- org.apache.logging.log4j:log4j-core
- >2.4, <2.12.4
- >2.0-beta7, <2.3.2
- >2.13.0, <2.17.1
- org.ops4j.pax.logging:pax-logging-log4j2
- >1.11.0, <1.11.13
- >1.8.0, <1.9.2
- >1.10.0, <1.10.9
- >2.0.0, <2.0.14
Technical Details
This Remote Code Execution (RCE) vulnerability in Apache Log4j2 affects versions 2.0-beta7 through 2.17.0, with the exception of 2.3.2 and 2.12.4. It specifically arises when an attacker has been granted permissions to modify the Log4j2 logging configuration file. Within this controlled configuration, the attacker can define a malicious JDBC Appender. The key to the exploit is to configure this JDBC Appender with a 'data source' parameter that references a JNDI (Java Naming and Directory Interface) URI. This JNDI URI can then be pointed to a remote server controlled by the attacker, which hosts a malicious LDAP or RMI service. When Log4j2 attempts to resolve this JNDI resource, it can trigger the deserialization of attacker-controlled objects, leading to arbitrary remote code execution on the compromised system. The fix involves explicitly limiting JNDI data source names to the 'java' protocol.
What is the Impact of CVE-2021-44832?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the affected application, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2021-44832?
Exploitation of this vulnerability has moderate complexity. A crucial prerequisite for exploitation is that the attacker must have specific permissions to modify the Log4j2 logging configuration file. This often implies some level of authenticated access or prior compromise to gain configuration control. Given this prerequisite, the exploit is not trivial for an unauthenticated, remote attacker. It is primarily a remote exploit once configuration control is established. The specific constraint is the need for configuration modification rights and the use of a JDBC Appender that supports JNDI lookups. The likelihood of exploitation is reduced by the requirement for configuration control, but if such control is obtained (e.g., through other vulnerabilities or insider threat), the impact is severe. Default Log4j2 configurations are not impacted, further limiting its immediate exploitability surface compared to other Log4j2 vulnerabilities.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| cckuailong | Link | PoC for CVE-2021-44832 |
| name | Link | Discover Log4Shell vulnerability [CVE-2021-44832] |
What are the Available Fixes for CVE-2021-44832?
Available Upgrade Options
- org.ops4j.pax.logging:pax-logging-log4j2
- >1.8.0, <1.9.2 → Upgrade to 1.9.2
- org.ops4j.pax.logging:pax-logging-log4j2
- >1.10.0, <1.10.9 → Upgrade to 1.10.9
- org.ops4j.pax.logging:pax-logging-log4j2
- >1.11.0, <1.11.13 → Upgrade to 1.11.13
- org.ops4j.pax.logging:pax-logging-log4j2
- >2.0.0, <2.0.14 → Upgrade to 2.0.14
- org.apache.logging.log4j:log4j-core
- >2.0-beta7, <2.3.2 → Upgrade to 2.3.2
- org.apache.logging.log4j:log4j-core
- >2.4, <2.12.4 → Upgrade to 2.12.4
- org.apache.logging.log4j:log4j-core
- >2.13.0, <2.17.1 → Upgrade to 2.17.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-44832
- https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
- https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
- http://www.openwall.com/lists/oss-security/2021/12/28/1
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
- https://github.com/apache/logging-log4j2
- https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
- http://www.openwall.com/lists/oss-security/2021/12/28/1
What are Similar Vulnerabilities to CVE-2021-44832?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2021-45046 , CVE-2022-23305 , CVE-2022-23307 , CVE-2022-23302
