CVE-2021-44832

Name of the Vulnerable Software and Affected Versions Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4)

Description The issue is related to the absence of additional access control elements for JNDI in the Apache Log4j2 library. This can allow a remote attacker to execute arbitrary code using a JDBC Appender with a JNDI LDAP data source URI when the attacker has control of the target LDAP server. The problem requires specific conditions for exploitation, including the ability to modify the Log4j configuration file. There have been real-world incidents where this issue was exploited, with breaches reported at Sisense and Snowflake, posing a severe threat to global finance.

Recommendations For Apache Log4j2 versions 2.0-beta7 through 2.17.0, update to version 2.17.1, 2.12.4, or 2.3.2 to fix the issue by limiting JNDI data source names to the java protocol. As a temporary workaround, consider restricting access to the JDBC Appender with a JNDI LDAP data source URI to minimize the risk of exploitation. Avoid using the log4j2.configurationFile parameter in the affected API endpoint until the issue is resolved.