> -----Original Message----- > From: Matt Sicker [mailto:[email protected]] > Sent: Tuesday, December 28, 2021 2:27 PM > To: [email protected]; [email protected] > Subject: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender > when attacker > controls configuration
> > Severity: moderate > > Description: > > Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix > releases 2.3.2 and > 2.12.4) are vulnerable to a remote code execution (RCE) attack where an > attacker with I do not see the (git) tag or download on the site. Am I missing something? > permission to modify the logging configuration file can construct a malicious > configuration using a JDBC Appender with a data source referencing a JNDI URI > which can > execute remote code. This issue is fixed by limiting JNDI data source names > to the java > protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. > > This issue is being tracked as LOG4J2-3293, > > References: > > https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143 > https://issues.apache.org/jira/browse/LOG4J2-3293 -- Jason Pyeron | Architect PD Inc | Certified SBA 8(a) 10 w 24th St | Certified SBA HUBZone Baltimore, MD | CAGE Code: 1WVR6 .mil: [email protected] .com: [email protected] tel : 202-741-9397
