VDB
RHSA-2022%3A0083
RHSA-2022%3A0083
PUBLISHED
CVSS 6.599999904632568 MEDIUM
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Risk Scores
CVSS 3.1
6.599999904632568
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Log4j2 | |
| Red Hat | Vert.x 4.1.8 |
Timeline
- Jan 20, 2022 CVE Published
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 29, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2022:0083 advisory
- https://access.redhat.com/security/updates/classification/#moderate advisory
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=4.1.8 advisory
- https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.1/html/release_notes_for_eclipse_vert.x_4.1/index advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2032580 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2034067 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2035951 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0083.json advisory
- https://access.redhat.com/security/cve/CVE-2021-44832 advisory
- https://www.cve.org/CVERecord?id=CVE-2021-44832 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2021-44832 advisory
- https://issues.apache.org/jira/browse/LOG4J2-3293 advisory
- https://access.redhat.com/security/cve/CVE-2021-45046 advisory
- https://www.cve.org/CVERecord?id=CVE-2021-45046 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2021-45046 advisory
- https://access.redhat.com/security/cve/CVE-2021-44228 advisory
- https://logging.apache.org/log4j/2.x/security.html advisory
- https://www.openwall.com/lists/oss-security/2021/12/14/4 advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog exploit
- https://access.redhat.com/security/cve/CVE-2021-45105 advisory
…and 4 more