Vulnerability

CVE-2021-44832

Medium· 6.6CVSS6.6EPSS54%

.rules3/5

Improper Input Validation and Injection in Apache Log4j2

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. # Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use. This issue does not impact default configurations of Log4j2 and requires an attacker to have control over the Log4j2 configuration, which reduces the likelihood of being exploited.

Threat signal

74/100

High

Severity

medium

CVSS

6.6

EPSS

54%

Active

CVSS

v3.1via NVDOpen in FIRST calculator →

6.6/ 10MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack VectorNetworkExploitable remotely over the internet — no local access needed.
Attack ComplexityHighRequires conditions outside attacker's control (race, brute-force, configuration
Privileges RequiredHighAdmin / root privileges required.
User InteractionNoneFully automated — no victim action needed.
ScopeUnchangedImpact contained to the vulnerable component.
Confidentiality ImpactHighTotal disclosure of sensitive data.
Integrity ImpactHighTotal compromise of integrity — full data modification possible.
Availability ImpactHighTotal loss of availability — full DoS possible.

EPSS

Exploit prediction · 30-day horizonFIRST.org →

53.6%

probability of exploitation in next 30 days

p98

higher than 98% of all CVEs

3-day trend↑ 0pp

Statistically about to be weaponized — top-tier triage urgency.

Vendor VEX

No VEX statements published for CVE-2021-44832. Vendors publish VEX (Vulnerability Exploitability eXchange) to assert per-product whether a CVE is actually exploitable in their distribution.

SSVCDefer

No exploitation, limited impact or prevalence

exploitation: none
automatable: no
impact: partial
mission: support

Lifecycle

2022-01-04Published
2022-01-20Vendor advisory · amazon-linuxALAS2-2022-1734 — ALAS2-2022-1734 (medium): aws-kinesis-agent
2026-05-29Last modified2 sources

Entity graph

2 nodes · 1 edges · click to pivot

CVEActorVendor advisoryIOCNews

Vendor advisories

amazon-linuxALAS2-2022-1734ALAS2-2022-1734 (medium): aws-kinesis-agent

Mentions in news & research

research:snykNew Log4j 2.17.1 fixes CVE-2021-44832 remote code execution (but it's not as bad as it sounds)2021-12-29

References

No source-event history recorded yet. New revisions will appear here as ingestors re-fetch this CVE.