CVE-2021-44228

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Events: Introduced

805a6af8dba5dfdd35ec35dc52ec0122400b2610

Fixed

28a33cbc24e4256c143dce96c7d93bf423229f92

Affected versions

v3.*

v3.2

v3.3

v3.3-rc1

v3.3-rc2

v3.3-rc3

v3.3-rc4

v3.3-rc5

v3.3-rc6

v3.3-rc7

v3.4

v3.4-rc1

v3.4-rc2

v3.4-rc3

v3.4-rc4

v3.4-rc5

v3.4-rc6

v3.4-rc7

v3.5-rc1

v3.5-rc2

v3.5-rc3

v3.5-rc4

v3.5-rc5

v3.5-rc6

v3.5-rc7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-44228.json"

Git / github.com/golang/go

Affected ranges

Type: GIT
Repo: https://github.com/golang/go
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0380c9ad38843d523d9c9804fe300cb7edd7cd3c

Affected versions

go1.*

go1.10beta1

go1.10beta2

go1.10rc1

go1.10rc2

go1.11beta1

go1.11beta2

go1.11beta3

go1.12

go1.12beta1

go1.12beta2

go1.12rc1

go1.3beta1

go1.3beta2

go1.4beta1

go1.5beta1

go1.5beta2

go1.5beta3

go1.6beta1

go1.6beta2

go1.7beta1

go1.7beta2

go1.7rc1

go1.7rc2

go1.7rc3

go1.7rc4

go1.8beta1

go1.8beta2

go1.9beta1

go1.9beta2

release.*

release.r56

Other

weekly

weekly.*

weekly.2009-11-06

weekly.2009-11-10

weekly.2009-11-10.1

weekly.2009-11-12

weekly.2009-11-17

weekly.2009-12-07

weekly.2009-12-09

weekly.2009-12-22

weekly.2010-01-05

weekly.2010-01-13

weekly.2010-01-27

weekly.2010-02-04

weekly.2010-02-17

weekly.2010-02-23

weekly.2010-03-04

weekly.2010-03-15

weekly.2010-03-22

weekly.2010-03-30

weekly.2010-04-13

weekly.2010-04-27

weekly.2010-05-04

weekly.2010-05-27

weekly.2010-06-09

weekly.2010-06-21

weekly.2010-07-01

weekly.2010-07-14

weekly.2010-07-29

weekly.2010-08-04

weekly.2010-08-11

weekly.2010-08-25

weekly.2010-09-06

weekly.2010-09-15

weekly.2010-09-22

weekly.2010-09-29

weekly.2010-10-13

weekly.2010-10-13.1

weekly.2010-10-20

weekly.2010-10-27

weekly.2010-11-02

weekly.2010-11-10

weekly.2010-11-23

weekly.2010-12-02

weekly.2010-12-08

weekly.2010-12-15

weekly.2010-12-15.1

weekly.2010-12-22

weekly.2011-01-06

weekly.2011-01-12

weekly.2011-01-19

weekly.2011-01-20

weekly.2011-02-01

weekly.2011-02-01.1

weekly.2011-02-15

weekly.2011-02-24

weekly.2011-03-07

weekly.2011-03-07.1

weekly.2011-03-15

weekly.2011-03-28

weekly.2011-04-04

weekly.2011-04-13

weekly.2011-04-27

weekly.2011-05-22

weekly.2011-06-02

weekly.2011-06-09

weekly.2011-06-16

weekly.2011-06-23

weekly.2011-07-07

weekly.2011-07-19

weekly.2011-07-29

weekly.2011-08-10

weekly.2011-08-17

weekly.2011-09-01

weekly.2011-09-07

weekly.2011-09-16

weekly.2011-09-21

weekly.2011-10-06

weekly.2011-10-18

weekly.2011-10-25

weekly.2011-10-26

weekly.2011-11-01

weekly.2011-11-02

weekly.2011-11-08

weekly.2011-11-09

weekly.2011-11-18

weekly.2011-12-01

weekly.2011-12-02

weekly.2011-12-06

weekly.2011-12-14

weekly.2011-12-22

weekly.2012-01-15

weekly.2012-01-20

weekly.2012-01-27

weekly.2012-02-07

weekly.2012-02-14

weekly.2012-02-22

weekly.2012-03-04

weekly.2012-03-13

weekly.2012-03-22

weekly.2012-03-27

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-44228.json"