Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HApache Log4j
APPApache2.02.13.0 – 2.15.0 (bez)2.0.1 – 2.3.1 (bez)2.4.0 – 2.12.2 (bez)Cisco Advanced Malware Protection Virtual Private Cloud Appliance
APPCisco< 3.5.4Cisco Automated Subsea Tuning
APPCisco< 2.1.0Cisco Broadworks
APPCisco< 2021.11_1.162Cisco Business Process Automation
APPCisco3.2.000.000 – 3.2.000.009 (bez)3.1.000.000 – 3.1.000.044 (bez)< 3.0.000.115Cisco Cloudcenter
APPCisco< 4.10.0.16Cisco Cloud Connect
APPCisco< 12.6\(1\)Debian
OSDebian10.011.09.0Fedora Project Fedora
OSFedoraproject3435Intel Computer Vision Annotation Tool
APPIntelwszystkie wersjeIntel Datacenter Manager
APPIntel< 5.1Intel Genomics Kernel Library
APPIntelwszystkie wersjeIntel Oneapi Sample Browser
APPIntelwszystkie wersjeIntel Secure Device Onboard
APPIntelwszystkie wersjeIntel System Studio
APPIntelwszystkie wersjeNetapp Active Iq Unified Manager
APPNetappwszystkie wersjeNetapp Brocade San Navigator
APPNetappwszystkie wersjeNetapp Cloud Insights
APPNetappwszystkie wersjeNetapp Cloud Manager
APPNetappwszystkie wersjeNetapp Cloud Secure Agent
APPNetappwszystkie wersjeNetapp Oncommand Insight
APPNetappwszystkie wersjeNetapp Ontap Tools
APPNetappwszystkie wersjeNetapp Snapcenter
APPNetappwszystkie wersjeNetapp Solidfire Enterprise Sds
APPNetappwszystkie wersjeNetapp Solidfire \& Hci Storage Node
APPNetappwszystkie wersjeSiemens 6bk1602 0aa12 0tp0
HWSiemenswszystkie wersjeSiemens 6bk1602 0aa12 0tp0 Firmware
OSSiemens< 2.7.0Siemens 6bk1602 0aa22 0tp0
HWSiemenswszystkie wersjeSiemens 6bk1602 0aa22 0tp0 Firmware
OSSiemens< 2.7.0Siemens 6bk1602 0aa32 0tp0
HWSiemenswszystkie wersje
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- Log4j2
- Added to KEVi
- December 10, 2021
- Remediation deadline (US Federal)i
- December 24, 2021(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki