CVE-2021-44832

Name: CVE-2021-44832
Creator: NVD / NIST
Published: 2021-12-28T20:15:08.4+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.6/10EPSS 97.91%

Last modified Jun 17, 2026

CVE-2021-44832 is a medium-severity vulnerability rated 6.6/10 on the CVSS scale. Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.. EPSS estimates a 97.91% chance of exploitation in the next 30 days.

Description

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Metrics

CVSS 3.1

6.6/10

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

97.91%

99.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Apache	Log4j	>= 2.0.1, < 2.3.2
Apache	Log4j	>= 2.4, < 2.12.4
Apache	Log4j	>= 2.13.0, < 2.17.1
Apache	Log4j	2.0
Oracle	Communications Diameter Signaling Router	>= 8.0.0.0, <= 8.5.1.0
Oracle	Communications Interactive Session Recorder	6.3
Oracle	Communications Interactive Session Recorder	6.4
Oracle	Primavera Gateway	>= 17.12.0, <= 17.12.11
Oracle	Primavera Gateway	>= 18.8.0, <= 18.8.13
Oracle	Primavera Gateway	>= 19.12.0, <= 19.12.12
Oracle	Primavera Gateway	>= 20.12.0, <= 20.12.7
Oracle	Primavera Gateway	21.12.0
Oracle	Primavera P6 Enterprise Project Portfolio Management	>= 19.12.0, <= 19.12.18.0
Oracle	Primavera P6 Enterprise Project Portfolio Management	>= 20.12.0.0, <= 20.12.12.0
Oracle	Primavera P6 Enterprise Project Portfolio Management	21.12.0.0
Oracle	Primavera Unifier	18.8
Oracle	Primavera Unifier	19.12
Oracle	Primavera Unifier	20.12
Oracle	Primavera Unifier	21.12
Oracle	Retail Assortment Planning	16.0.3
Oracle	Retail Fiscal Management	14.2
Oracle	Siebel Ui Framework	21.12
Oracle	Weblogic Server	12.2.1.3.0
Oracle	Weblogic Server	12.2.1.4.0
Oracle	Weblogic Server	14.1.1.0.0
Cisco	Cloudcenter	4.10.0.16
Fedoraproject	Fedora	34
Fedoraproject	Fedora	35
Debian	Debian Linux	9.0
Oracle	Communications Brm - Elastic Charging Engine	< 12.0.0.4.6
Oracle	Communications Brm - Elastic Charging Engine	12.0.0.5.0
Oracle	Communications Diameter Signaling Router	>= 8.3.0.0, <= 8.5.1.0
Oracle	Communications Offline Mediation Controller	< 12.0.0.4.4
Oracle	Communications Offline Mediation Controller	12.0.0.5.0
Oracle	Flexcube Private Banking	12.1.0
Oracle	Health Sciences Data Management Workbench	2.5.2.1
Oracle	Health Sciences Data Management Workbench	3.0.0.0
Oracle	Health Sciences Data Management Workbench	3.1.0.3
Oracle	Policy Automation	>= 12.2.0, <= 12.2.24
Oracle	Policy Automation For Mobile Devices	>= 12.2.0, <= 12.2.24
Oracle	Primavera P6 Enterprise Project Portfolio Management	>= 19.12.0.0, <= 19.12.18.0
Oracle	Product Lifecycle Analytics	3.6.1
Oracle	Retail Order Broker	18.0
Oracle	Retail Order Broker	19.1
Oracle	Retail Xstore Point Of Service	17.0.4
Oracle	Retail Xstore Point Of Service	18.0.3
Oracle	Retail Xstore Point Of Service	19.0.2
Oracle	Retail Xstore Point Of Service	20.0.1
Oracle	Retail Xstore Point Of Service	21.0.1
Oracle	Siebel Ui Framework	<= 21.12

References

http://www.openwall.com/lists/oss-security/2021/12/28/1Mailing List, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdfThird Party Advisory
https://issues.apache.org/jira/browse/LOG4J2-3293Issue Tracking, Patch, Vendor Advisory
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143Mailing List, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
https://security.netapp.com/advisory/ntap-20220104-0001/Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/28/1Mailing List, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdfThird Party Advisory
https://issues.apache.org/jira/browse/LOG4J2-3293Issue Tracking, Patch, Vendor Advisory
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143Mailing List, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
https://security.netapp.com/advisory/ntap-20220104-0001/Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbdThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory

Timeline

Published: Dec 28, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-44832?

How severe is CVE-2021-44832?

CVE-2021-44832 has a CVSS score of 6.6/10 (MEDIUM severity). The EPSS model estimates a 97.91% probability of exploitation in the next 30 days.

How do I fix CVE-2021-44832?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-44832?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST