>Scroll to paragraph
Note that previous mitigations are proven ineffective!
Fixed in Log4j 2.15.0 CVE-2021-44228
Log4j2 JNDI features do not protect against attacker controlled LDAP and
other JNDI related endpoints.
Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0
In Apache Log4j2 versions up to and including 2.14.1 (excluding security
release 2.12.2), the JNDI features used in configurations, log messages,
and parameters do not protect against attacker-controlled LDAP and other
JNDI related endpoints. An attacker who can control log messages or log
message parameters can execute arbitrary code loaded from LDAP servers when
message lookup substitution is enabled.
*Log4j 1.x mitigation*: Log4j 1.x does not have Lookups so the risk is
lower. Applications using Log4j 1.x are only vulnerable to this attack when
they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has
been filed for this vulnerability. To mitigate: audit your logging
configuration to ensure it has no JMSAppender configured. Log4j 1.x
configurations without JMSAppender are not impacted by this vulnerability.
*Log4j 2.x mitigation*: Implement one of the mitigation techniques below.
- Java 8 (or later) users should upgrade to release 2.16.0.
- Users requiring Java 7 should upgrade to release 2.12.2 when it
becomes available (work in progress, expected to be available soon).
- Otherwise, remove the JndiLookup class from the classpath: zip -q -d
Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR
file are not impacted by this vulnerability.
As an Amazon Associate we earn from qualifying purchases.