CVE-2021-44832: Apache Log4j2 Remote Code Execution Vulnerability Alert
Vulnerability Detail
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Starting from version 2.17.1 (and 2.12.4 and 2.3.2 for Java 7 and Java 6), JDBC Appender will use JndiManager and require the log4j2.enableJndiJdbc system property to contain a true value to enable JNDI. The property to enable JNDI has been renamed from ‘log4j2.enableJndi’ to three separate properties: log4j2.enableJndiLookup, log4j2.enableJndiJms, and log4j2.enableJndiContextSelector. JNDI functionality has been hardened in these versions: 2.3.1, 2.12.2, 2.12.3, or 2.17.0: from these versions onwards, support for the LDAP protocol has been removed and only the JAVA protocol is supported in JNDI connections.