Source: apache-log4j2 Version: 2.17.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3293 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.17.0-1~deb11u1 Control: found -1 2.17.0-1~deb10u1 Control: found -1 2.12.3-0+deb9u1
Hi, The following vulnerability was published for apache-log4j2, which is fixed in 2.17.1 and the security releases 2.12.4 and 2.3.2. CVE-2021-44832[0]: | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security | fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code | execution (RCE) attack where an attacker with permission to modify the | logging configuration file can construct a malicious configuration | using a JDBC Appender with a data source referencing a JNDI URI which | can execute remote code. This issue is fixed by limiting JNDI data | source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, | and 2.3.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-44832 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 [1] https://issues.apache.org/jira/browse/LOG4J2-3293 [2] https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143 Regards, Salvatore