Bug 2035951 (CVE-2021-44832)

Summary: CVE-2021-44832 log4j-core: remote code execution via JDBC Appender
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, ahenning, aileenc, akoufoud, alazarot, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bdettelb, bgeorges, bibryam, bmaxwell, bmontgom, boliveir, brian.stansberry, btotty, cdewolf, chazlett, clement.escoffier, crarobin, dandread, daniel-oliveira, darran.lofthouse, dbhole, devrim, dkreling, dosoudil, drieden, ehelms, eleandro, eparis, etirelli, ewolinet, fjuma, ggaughan, gmalinko, gsmet, hamadhan, hbraun, hhorak, ibek, iweiss, janstey, java-sig-commits, jburrell, jcantril, jmadigan, jnethert, jochrist, jorton, jpallich, jperkins, jrokos, jross, jsherril, jstastny, jwon, kaycoth, krathod, kverlaen, kwills, lgao, lthon, lzap, mhulan, mizdebsk, mmccune, mnovotny, msochure, msvehla, mszynkie, myarboro, ngough, nmoumoul, nstielau, nwallace, orabin, pamccart, pantinor, paul.wouters, pcreech, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rchan, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sd-operator-metering, sdouglas, sfowler, sguilhen, smaestri, sponnaga, sthorger, swoodman, tflannag, tom.jenkinson, tzimanyi, vkumar, yborgess
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: log4j 2.17.1, log4j 2.12.4, log4j 2.3.2 Doc Type: If docs needed, set a value
Doc Text:
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-21 20:00:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2036026, 2036040, 2036041, 2036042, 2036043, 2043048, 2043049, 2043050, 2043051    
Bug Blocks: 2030930    

Description Guilherme de Almeida Suckevicz 2021-12-28 19:58:23 UTC 
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

References:
https://issues.apache.org/jira/browse/LOG4J2-3293
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
Comment 1 Ted Jongseok Won 2021-12-29 05:08:33 UTC 
Upstream patch: https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16
Comment 6 Huzaifa S. Sidhpurwala 2021-12-29 10:48:38 UTC 
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2036026]
Comment 18 errata-xmlrpc 2022-01-13 15:33:51 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.0.0

Via RHSA-2022:0138 https://access.redhat.com/errata/RHSA-2022:0138
Comment 20 errata-xmlrpc 2022-01-20 09:27:13 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.2
  7.9.1
  7.10.1

Via RHSA-2022:0203 https://access.redhat.com/errata/RHSA-2022:0203
Comment 21 errata-xmlrpc 2022-01-20 11:40:33 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.2.3

Via RHSA-2022:0205 https://access.redhat.com/errata/RHSA-2022:0205
Comment 22 errata-xmlrpc 2022-01-20 12:13:22 UTC 
This issue has been addressed in the following products:

  Vert.x 4.1.8

Via RHSA-2022:0083 https://access.redhat.com/errata/RHSA-2022:0083
Comment 24 errata-xmlrpc 2022-01-20 16:00:16 UTC 
This issue has been addressed in the following products:

  EAP 7.4 log4j async

Via RHSA-2022:0216 https://access.redhat.com/errata/RHSA-2022:0216
Comment 25 errata-xmlrpc 2022-01-20 18:56:21 UTC 
This issue has been addressed in the following products:

  Red Hat Integration Camel Extensions for Quarkus 2.2

Via RHSA-2022:0222 https://access.redhat.com/errata/RHSA-2022:0222
Comment 26 errata-xmlrpc 2022-01-20 18:57:22 UTC 
This issue has been addressed in the following products:

  Red Hat Integration Camel-K 1.6.3

Via RHSA-2022:0223 https://access.redhat.com/errata/RHSA-2022:0223
Comment 27 errata-xmlrpc 2022-01-20 21:09:33 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.0

Via RHSA-2022:0225 https://access.redhat.com/errata/RHSA-2022:0225
Comment 28 errata-xmlrpc 2022-01-20 21:39:24 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.1

Via RHSA-2022:0226 https://access.redhat.com/errata/RHSA-2022:0226
Comment 29 errata-xmlrpc 2022-01-20 21:40:48 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2022:0227 https://access.redhat.com/errata/RHSA-2022:0227
Comment 30 errata-xmlrpc 2022-01-21 19:05:11 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.2

Via RHSA-2022:0230 https://access.redhat.com/errata/RHSA-2022:0230
Comment 31 Product Security DevOps Team 2022-01-21 20:00:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-44832
Comment 32 errata-xmlrpc 2022-01-25 15:25:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2022:0236 https://access.redhat.com/errata/RHSA-2022:0236
Comment 33 errata-xmlrpc 2022-01-27 08:26:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2022:0181 https://access.redhat.com/errata/RHSA-2022:0181
Comment 35 errata-xmlrpc 2022-02-08 12:52:47 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 1.6.7

Via RHSA-2022:0467 https://access.redhat.com/errata/RHSA-2022:0467
Comment 36 errata-xmlrpc 2022-02-16 11:31:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2022:0493 https://access.redhat.com/errata/RHSA-2022:0493
Comment 37 errata-xmlrpc 2022-02-16 15:05:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:0485 https://access.redhat.com/errata/RHSA-2022:0485
Comment 38 errata-xmlrpc 2022-04-11 12:56:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296
Comment 39 errata-xmlrpc 2022-04-11 12:58:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297
Comment 40 errata-xmlrpc 2022-04-11 13:01:12 UTC 
This issue has been addressed in the following products:

  EAP 7.4.4 release

Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299
Comment 42 errata-xmlrpc 2025-10-23 23:10:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7

Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299