We use cookies to improve your experience on our site.
AVID-2026-R0928
Description
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration (CVE-2021-44832)
Details
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Reason for inclusion in AVID: CVE-2021-44832 describes a remote code execution vulnerability in Apache Log4j2 (JDBC Appender with LDAP data source). This is a software vulnerability in a widely used library that can be part of AI system deployment stacks (depends on Java components, logging, and data processing pipelines). Therefore it concerns AI/ML software, affects components used to build/deploy AI systems, is a security/vulnerability issue, and has sufficient evidence in the report.
References
- NVD entry
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
- https://issues.apache.org/jira/browse/LOG4J2-3293
- http://www.openwall.com/lists/oss-security/2021/12/28/1
- https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.netapp.com/advisory/ntap-20220104-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Log4j2 |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-20 | CWE-20 Improper Input Validation |
| CWE-74 | CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2021-12-28
- Version: 0.3.3
- AVID Entry