RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://nvd.nist.gov/vuln/detail/CVE-2021-44228 below:

NVD - CVE-2021-44228

CVE-2021-44228 Detail Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: 10.0 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

ADP: CISA-ADP

Base Score: 10.0 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: 9.3 HIGH

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.

Vulnerability Name Date Added Due Date Required Action Apache Log4j2 Remote Code Execution Vulnerability 12/10/2021 12/24/2021 For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available. Weakness Enumeration CWE-ID CWE Name Source CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression La NIST CWE-20 Improper Input Validation Apache Software Foundation CWE-502 Deserialization of Untrusted Data Apache Software Foundation CWE-400 Uncontrolled Resource Consumption Apache Software Foundation Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History 55 change records found show changes Modified Analysis by NIST 4/03/2025 4:53:22 PM Action Type Old Value New Value Changed CPE Configuration

OR
          *cpe:2.3:a:bentley:synchro_4d:*:*:*:*:pro:*:*:* versions up to (excluding) 6.2.4.2
          *cpe:2.3:a:bentley:synchro:*:*:*:*:pro:*:*:* versions from (including) 6.1 up to (excluding) 6.4.3.2

OR
          *cpe:2.3:a:bentley:synchro:*:*:*:*:pro:*:*:* versions from (including) 6.1 up to (excluding) 6.2.4.2
          *cpe:2.3:a:bentley:synchro_4d:*:*:*:*:pro:*:*:* versions up to (excluding) 6.4.3.2

Changed CPE Configuration Record truncated, showing 500 of 639 characters.
View Entire Change Record

OR
          *cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*
          *cpe:2.3:a:intel:system_debugger:-:*:*:*:*:*:*:*
          *cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*
          *cpe:2.3:a:intel:oneapi_sample_browser:-:*:*:*:*:eclipse:*:*
          *cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*
          *cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*
          *cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*
          *

OR
          *cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*
          *cpe:2.3:a:intel:oneapi_sample_browser:-:*:*:*:*:eclipse:*:*
          *cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*
          *cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*
          *cpe:2.3:a:intel:system_studio:-:*:*:*:*:*:*:*
          *cpe:2.3:a:intel:datacenter_manager:*:*:*:*:*:*:*:* versions up to (excluding) 5.1

Changed CPE Configuration Record truncated, showing 500 of 614 characters.
View Entire Change Record

OR
          *cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
          *cpe:2.3:a:netapp:cloud_insights:-:*:*:*:*:*:*:*
          *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
          *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
          *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
          *cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*
          *cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*
          *cpe:2.3:a:n

Record truncated, showing 500 of 826 characters.
View Entire Change Record

OR
          *cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
          *cpe:2.3:a:netapp:cloud_insights:-:*:*:*:*:*:*:*
          *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
          *cpe:2.3:a:netapp:solidfire_&amp;_hci_storage_node:-:*:*:*:*:*:*:*
          *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
          *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
          *cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*

Changed CPE Configuration Record truncated, showing 500 of 4526 characters.
View Entire Change Record

OR
          *cpe:2.3:a:siemens:logo!_soft_comfort:*:*:*:*:*:*:*:*
          *cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*
          *cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*
          *cpe:2.3:a:siemens:spectrum_power_4:*:*:*:*:*:*:*:* versions up to (excluding) 4.70
          *cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*
          *cpe:2.3:a:siemens:energyip_prepay:3.7:*:*:*:*:*:*:*
          *cpe:2.3:a:siemens:energyip_prepay:3.8:*:*:*:*:*:*:*
          *c

Record truncated, showing 500 of 4672 characters.
View Entire Change Record

OR
          *cpe:2.3:a:siemens:logo!_soft_comfort:*:*:*:*:*:*:*:*
          *cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*
          *cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*
          *cpe:2.3:a:siemens:spectrum_power_4:*:*:*:*:*:*:*:* versions up to (excluding) 4.70
          *cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*
          *cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8:*:*:*:*:*:*
          *cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*

Changed CPE Configuration

OR
          *cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.12

OR
          *cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.13

Added CPE Configuration

AND
     OR
          *cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.7.0
     OR
          cpe:2.3:h:siemens:6bk1602-0aa12-0tp0:-:*:*:*:*:*:*:*

Added CPE Configuration

AND
     OR
          *cpe:2.3:o:siemens:6bk1602-0aa22-0tp0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.7.0
     OR
          cpe:2.3:h:siemens:6bk1602-0aa22-0tp0:-:*:*:*:*:*:*:*

Added CPE Configuration

AND
     OR
          *cpe:2.3:o:siemens:6bk1602-0aa32-0tp0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.7.0
     OR
          cpe:2.3:h:siemens:6bk1602-0aa32-0tp0:-:*:*:*:*:*:*:*

Added CPE Configuration

AND
     OR
          *cpe:2.3:o:siemens:6bk1602-0aa42-0tp0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.7.0
     OR
          cpe:2.3:h:siemens:6bk1602-0aa42-0tp0:-:*:*:*:*:*:*:*

Added CPE Configuration

AND
     OR
          *cpe:2.3:o:siemens:6bk1602-0aa52-0tp0_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.7.0
     OR
          cpe:2.3:h:siemens:6bk1602-0aa52-0tp0:-:*:*:*:*:*:*:*

Changed Reference Type

Apache Software Foundation: http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html Types: Third Party Advisory, VDB Entry

Apache Software Foundation: http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html Types: Broken Link, Third Party Advisory, VDB Entry

Changed Reference Type

CVE: http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html Types: Third Party Advisory, VDB Entry

CVE: http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html Types: Broken Link, Third Party Advisory, VDB Entry

CVE Modified by CISA-ADP 2/04/2025 10:15:13 AM Action Type Old Value New Value Added CVSS V3.1

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE Modified by CVE 11/21/2024 1:30:38 AM Action Type Old Value New Value Added Reference

http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html

Added Reference

http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html

Added Reference

http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html

Added Reference

http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html

Added Reference

http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html

Added Reference

http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html

Added Reference

http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html

Added Reference

http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html

Added Reference

http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html

Added Reference

http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html

Added Reference

http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html

Added Reference

http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html

Added Reference

http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html

Added Reference

http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html

Added Reference

http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html

Added Reference

http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html

Added Reference

http://seclists.org/fulldisclosure/2022/Dec/2

Added Reference

http://seclists.org/fulldisclosure/2022/Jul/11

Added Reference

http://seclists.org/fulldisclosure/2022/Mar/23

Added Reference

http://www.openwall.com/lists/oss-security/2021/12/10/1

Added Reference

http://www.openwall.com/lists/oss-security/2021/12/10/2

Added Reference

http://www.openwall.com/lists/oss-security/2021/12/10/3

Added Reference

http://www.openwall.com/lists/oss-security/2021/12/13/1

Added Reference

http://www.openwall.com/lists/oss-security/2021/12/13/2

Added Reference

http://www.openwall.com/lists/oss-security/2021/12/14/4

Added Reference

http://www.openwall.com/lists/oss-security/2021/12/15/3

Added Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf

Added Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf

Added Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf

Added Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf

Added Reference

https://github.com/cisagov/log4j-affected-db

Added Reference

https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md

Added Reference

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228

Added Reference

https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html

Added Reference

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/

Added Reference

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/

Added Reference

https://logging.apache.org/log4j/2.x/security.html

Added Reference

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

Added Reference

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032

Added Reference

https://security.netapp.com/advisory/ntap-20211210-0007/

Added Reference

https://support.apple.com/kb/HT213189

Added Reference

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Added Reference

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Added Reference

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Added Reference

https://twitter.com/kurtseifried/status/1469345530182455296

Added Reference

https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001

Added Reference

https://www.debian.org/security/2021/dsa-5020

Added Reference

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html

Added Reference

https://www.kb.cert.org/vuls/id/930724

Added Reference

https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html

Added Reference

https://www.oracle.com/security-alerts/alert-cve-2021-44228.html

Added Reference

https://www.oracle.com/security-alerts/cpuapr2022.html

Added Reference

https://www.oracle.com/security-alerts/cpujan2022.html

Modified Analysis by NIST 7/24/2024 1:08:24 PM Action Type Old Value New Value Changed CPE Configuration

AND
     OR
          cpe:2.3:h:siemens:sppa-t3000_ses3000:-:*:*:*:*:*:*:*
     OR
          *cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*

AND
     OR
          *cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*
     OR
          cpe:2.3:h:siemens:sppa-t3000_ses3000:-:*:*:*:*:*:*:*

Added CPE Configuration

OR
     *cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:* versions up to (excluding) 13.3

Changed Reference Type

http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html Exploit, Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html Exploit, Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html Exploit, Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html Exploit, Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html No Types Assigned

http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html Third Party Advisory, VDB Entry

Changed Reference Type

https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md Product, US Government Resource

https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md Broken Link, Product, US Government Resource

Changed Reference Type

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/ Release Notes

Changed Reference Type

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/ Release Notes

Changed Reference Type

https://security.netapp.com/advisory/ntap-20211210-0007/ Vendor Advisory

https://security.netapp.com/advisory/ntap-20211210-0007/ Third Party Advisory

Changed Reference Type

https://twitter.com/kurtseifried/status/1469345530182455296 Exploit, Third Party Advisory

https://twitter.com/kurtseifried/status/1469345530182455296 Broken Link, Exploit, Third Party Advisory

Changed Reference Type

https://www.debian.org/security/2021/dsa-5020 Third Party Advisory

https://www.debian.org/security/2021/dsa-5020 Mailing List, Third Party Advisory

CVE Modified by Apache Software Foundation 5/14/2024 5:36:54 AM Action Type Old Value New Value CVE Modified by Apache Software Foundation 11/06/2023 10:39:36 PM Action Type Old Value New Value Added Reference

Apache Software Foundation https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/ [No types assigned]

Added Reference

Apache Software Foundation https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/ [No types assigned]

Removed Reference

Apache Software Foundation https://lists.fedoraproject.org/archives/list/[email protected]/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/

Removed Reference

Apache Software Foundation https://lists.fedoraproject.org/archives/list/[email protected]/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/

CVE Modified by Apache Software Foundation 4/03/2023 4:15:07 PM Action Type Old Value New Value Added Reference

http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html [No Types Assigned]

Modified Analysis by NIST 2/06/2023 1:53:16 PM Action Type Old Value New Value Changed CPE Configuration Record truncated, showing 500 of 563 characters.
View Entire Change Record

OR
     *cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:data_center_manager:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:oneapi_sample_browser:-:*:*:*:*:eclipse:*:*
     *cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:system_debugger:-:*:

Record truncated, showing 500 of 594 characters.
View Entire Change Record

OR
     *cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:data_center_manager:*:*:*:*:*:*:*:* versions up to (excluding) 5.1
     *cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:oneapi_sample_browser:-:*:*:*:*:eclipse:*:*
     *cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*
     *cpe:2

Changed Reference Type

http://seclists.org/fulldisclosure/2022/Dec/2 No Types Assigned

http://seclists.org/fulldisclosure/2022/Dec/2 Exploit, Mailing List, Third Party Advisory

CVE Modified by Apache Software Foundation 12/09/2022 12:15:12 AM Action Type Old Value New Value Added Reference

http://seclists.org/fulldisclosure/2022/Dec/2 [No Types Assigned]

Reanalysis by NIST 8/17/2022 1:46:12 PM Action Type Old Value New Value Added CPE Configuration

OR
     *cpe:2.3:a:percussion:rhythmyx:*:*:*:*:*:*:*:* versions up to (including) 7.3.2

Modified Analysis by NIST 8/09/2022 9:17:54 AM Action Type Old Value New Value Added CWE

NIST CWE-917

Removed CWE

NIST CWE-502

Changed Reference Type

http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html No Types Assigned

http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html No Types Assigned

http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html Exploit, Third Party Advisory, VDB Entry

Changed Reference Type

http://seclists.org/fulldisclosure/2022/Jul/11 No Types Assigned

http://seclists.org/fulldisclosure/2022/Jul/11 Mailing List, Third Party Advisory

CVE Modified by Apache Software Foundation 8/03/2022 2:15:11 PM Action Type Old Value New Value Added Reference

http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html [No Types Assigned]

CVE Modified by Apache Software Foundation 7/22/2022 2:15:08 PM Action Type Old Value New Value Added Reference

http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html [No Types Assigned]

CVE Modified by Apache Software Foundation 7/22/2022 2:15:09 AM Action Type Old Value New Value Added Reference

http://seclists.org/fulldisclosure/2022/Jul/11 [No Types Assigned]

Modified Analysis by NIST 6/30/2022 2:26:17 PM Action Type Old Value New Value Changed Reference Type

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228 No Types Assigned

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228 Exploit, Third Party Advisory

Changed Reference Type

https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html No Types Assigned

https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html Exploit, Third Party Advisory

Changed Reference Type

https://www.oracle.com/security-alerts/cpuapr2022.html No Types Assigned

https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory

CVE Modified by Apache Software Foundation 5/05/2022 7:15:08 PM Action Type Old Value New Value Added Reference

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228 [No Types Assigned]

Added Reference

https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html [No Types Assigned]

CVE Modified by Apache Software Foundation 4/19/2022 8:16:30 PM Action Type Old Value New Value Added Reference

https://www.oracle.com/security-alerts/cpuapr2022.html [No Types Assigned]

Reanalysis by NIST 4/18/2022 9:45:53 AM Action Type Old Value New Value Changed CPE Configuration Record truncated, showing 500 of 504 characters.
View Entire Change Record

OR
     *cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.0.1 up to (excluding) 2.3.1
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.4.0 up to (excluding) 2.12.2
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.13.0 up to (excluding) 2.

Record truncated, showing 500 of 504 characters.
View Entire Change Record

OR
     *cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.0.1 up to (excluding) 2.3.1
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.4.0 up to (excluding) 2.12.2
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.13.0 up to (excluding) 2.

Changed Reference Type

http://seclists.org/fulldisclosure/2022/Mar/23 Third Party Advisory

http://seclists.org/fulldisclosure/2022/Mar/23 Mailing List, Third Party Advisory

Modified Analysis by NIST 4/12/2022 2:14:48 PM Action Type Old Value New Value Changed CPE Configuration Record truncated, showing 500 of 504 characters.
View Entire Change Record

OR
     *cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.0.1 up to (excluding) 2.3.1
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.4.0 up to (excluding) 2.12.2
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.13.0 up to (excluding) 2.

Record truncated, showing 500 of 504 characters.
View Entire Change Record

OR
     *cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.0.1 up to (excluding) 2.3.1
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.4.0 up to (excluding) 2.12.2
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.13.0 up to (excluding) 2.

Added CPE Configuration

OR
     *cpe:2.3:a:bentley:synchro:*:*:*:*:pro:*:*:* versions from (including) 6.1 up to (excluding) 6.4.3.2
     *cpe:2.3:a:bentley:synchro_4d:*:*:*:*:pro:*:*:* versions up to (excluding) 6.2.4.2

Changed Reference Type

http://seclists.org/fulldisclosure/2022/Mar/23 No Types Assigned

http://seclists.org/fulldisclosure/2022/Mar/23 Third Party Advisory

Changed Reference Type

https://github.com/cisagov/log4j-affected-db No Types Assigned

https://github.com/cisagov/log4j-affected-db Third Party Advisory

Changed Reference Type

https://support.apple.com/kb/HT213189 No Types Assigned

https://support.apple.com/kb/HT213189 Third Party Advisory

Changed Reference Type

https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001 No Types Assigned

https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001 Third Party Advisory

CVE Modified by Apache Software Foundation 3/15/2022 2:15:15 AM Action Type Old Value New Value Added Reference

http://seclists.org/fulldisclosure/2022/Mar/23 [No Types Assigned]

CVE Modified by Apache Software Foundation 3/14/2022 4:15:08 PM Action Type Old Value New Value Added Reference

https://support.apple.com/kb/HT213189 [No Types Assigned]

CVE Modified by Apache Software Foundation 3/01/2022 6:15:08 PM Action Type Old Value New Value Added Reference

https://github.com/cisagov/log4j-affected-db [No Types Assigned]

Added Reference

https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001 [No Types Assigned]

Modified Analysis by NIST 2/18/2022 11:23:10 PM Action Type Old Value New Value Changed Reference Type

https://www.oracle.com/security-alerts/cpujan2022.html No Types Assigned

https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory

CVE Modified by Apache Software Foundation 2/07/2022 11:16:32 AM Action Type Old Value New Value Added Reference

https://www.oracle.com/security-alerts/cpujan2022.html [No Types Assigned]

Modified Analysis by NIST 2/01/2022 3:31:54 PM Action Type Old Value New Value Changed CPE Configuration

OR
     *cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.0.1 up to (excluding) 2.12.2
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.13.0 up to (excluding) 2.15.0

Record truncated, showing 500 of 504 characters.
View Entire Change Record

OR
     *cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.0.1 up to (excluding) 2.3.1
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.4.0 up to (excluding) 2.12.2
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.13.0 up to (excluding) 2.

Changed CPE Configuration

OR
     *cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

OR
     *cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
     *cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Changed Reference Type

http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html No Types Assigned

http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html No Types Assigned

http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html No Types Assigned

http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html No Types Assigned

http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html Third Party Advisory, VDB Entry

Changed Reference Type

https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf No Types Assigned

https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf Third Party Advisory

Changed Reference Type

https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf No Types Assigned

https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf Third Party Advisory

Changed Reference Type

https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md No Types Assigned

https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md Product, US Government Resource

Changed Reference Type

https://lists.fedoraproject.org/archives/list/[email protected]/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/ No Types Assigned

https://lists.fedoraproject.org/archives/list/[email protected]/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/ Third Party Advisory

Changed Reference Type

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Patch, Third Party Advisory

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Patch, Third Party Advisory, Vendor Advisory

CVE Modified by Apache Software Foundation 1/24/2022 12:15:09 PM Action Type Old Value New Value Added Reference

http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html [No Types Assigned]

CVE Modified by Apache Software Foundation 1/20/2022 4:15:11 PM Action Type Old Value New Value Added Reference

http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html [No Types Assigned]

CVE Modified by Apache Software Foundation 1/18/2022 11:15:08 PM Action Type Old Value New Value Added Reference

https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md [No Types Assigned]

CVE Modified by Apache Software Foundation 1/12/2022 1:15:07 PM Action Type Old Value New Value Changed Description Record truncated, showing 500 of 644 characters.
View Entire Change Record

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely

Record truncated, showing 500 of 713 characters.
View Entire Change Record

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along wit

Added Reference

http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html [No Types Assigned]

Added Reference

http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html [No Types Assigned]

Added Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf [No Types Assigned]

Added Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf [No Types Assigned]

Added Reference

https://lists.fedoraproject.org/archives/list/[email protected]/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/ [No Types Assigned]

Reanalysis by NIST 12/28/2021 2:32:40 PM Action Type Old Value New Value Added CPE Configuration

OR
     *cpe:2.3:a:snowsoftware:snow_commander:*:*:*:*:*:*:*:* versions up to (excluding) 8.10.0
     *cpe:2.3:a:snowsoftware:vm_access_proxy:*:*:*:*:*:*:*:* versions up to (excluding) 3.6

Changed Reference Type

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Third Party Advisory

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Patch, Third Party Advisory

Reanalysis by NIST 12/20/2021 1:13:50 PM Action Type Old Value New Value Added CPE Configuration Record truncated, showing 500 of 11978 characters.
View Entire Change Record

OR
     *cpe:2.3:a:cisco:automated_subsea_tuning:02.01.00:*:*:*:*:*:*:*
     *cpe:2.3:a:cisco:broadworks:-:*:*:*:*:*:*:*
     *cpe:2.3:a:cisco:cloudcenter_suite:4.10\(0.15\):*:*:*:*:*:*:*
     *cpe:2.3:a:cisco:cloudcenter_suite:5.3\(0\):*:*:*:*:*:*:*
     *cpe:2.3:a:cisco:cloudcenter_suite:5.4\(1\):*:*:*:*:*:*:*
     *cpe:2.3:a:cisco:cloudcenter_suite:5.5\(0\):*:*:*:*:*:*:*
     *cpe:2.3:a:cisco:cloudcenter_suite:5.5\(1\):*:*:*:*:*:*:*
     *cpe:2.3:a:cisco:common_services_platform_collector:002

Changed Reference Type

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Mitigation, Third Party Advisory

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Third Party Advisory

Modified Analysis by NIST 12/16/2021 2:56:45 PM Action Type Old Value New Value Changed CPE Configuration

OR
     *cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.0.1 up to (excluding) 2.15.0

OR
     *cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.0.1 up to (excluding) 2.12.2
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.13.0 up to (excluding) 2.15.0

Added CPE Configuration Record truncated, showing 500 of 1404 characters.
View Entire Change Record

AND
     OR
          *cpe:2.3:o:cisco:fxos:6.2.3:*:*:*:*:*:*:*
          *cpe:2.3:o:cisco:fxos:6.3.0:*:*:*:*:*:*:*
          *cpe:2.3:o:cisco:fxos:6.4.0:*:*:*:*:*:*:*
          *cpe:2.3:o:cisco:fxos:6.5.0:*:*:*:*:*:*:*
          *cpe:2.3:o:cisco:fxos:6.6.0:*:*:*:*:*:*:*
          *cpe:2.3:o:cisco:fxos:6.7.0:*:*:*:*:*:*:*
          *cpe:2.3:o:cisco:fxos:7.0.0:*:*:*:*:*:*:*
          *cpe:2.3:o:cisco:fxos:7.1.0:*:*:*:*:*:*:*
     OR
          cpe:2.3:h:cisco:firepower_1010:-:*:*:*:*:*:*:*

Added CPE Configuration

AND
     OR
          *cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*
     OR
          cpe:2.3:h:siemens:sppa-t3000_ses3000:-:*:*:*:*:*:*:*

Added CPE Configuration Record truncated, showing 500 of 9929 characters.
View Entire Change Record

OR
     *cpe:2.3:a:cisco:advanced_malware_protection_virtual_private_cloud_appliance:*:*:*:*:*:*:*:* versions up to (excluding) 3.5.4
     *cpe:2.3:a:cisco:automated_subsea_tuning:*:*:*:*:*:*:*:* versions up to (excluding) 2.1.0
     *cpe:2.3:a:cisco:broadworks:*:*:*:*:*:*:*:* versions up to (excluding) 2021.11_1.162
     *cpe:2.3:a:cisco:business_process_automation:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.000.115
     *cpe:2.3:a:cisco:business_process_automation:*:*:*:*:*:*:*:* versions f

Added CPE Configuration Record truncated, showing 500 of 563 characters.
View Entire Change Record

OR
     *cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:data_center_manager:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:oneapi_sample_browser:-:*:*:*:*:eclipse:*:*
     *cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*
     *cpe:2.3:a:intel:system_debugger:-:*:

Added CPE Configuration Record truncated, showing 500 of 569 characters.
View Entire Change Record

OR
     *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
     *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
     *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
     *cpe:2.3:a:netapp:cloud_insights:-:*:*:*:*:*:*:*
     *cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*
     *cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*
     *cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
     *cpe:2.3:a:netapp:ontap_tools:-:*:*:*:*:vmware_vsphe

Added CPE Configuration Record truncated, showing 500 of 4212 characters.
View Entire Change Record

OR
     *cpe:2.3:a:siemens:captial:*:*:*:*:*:*:*:* versions up to (excluding) 2019.1
     *cpe:2.3:a:siemens:captial:2019.1:-:*:*:*:*:*:*
     *cpe:2.3:a:siemens:captial:2019.1:sp1912:*:*:*:*:*:*
     *cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*
     *cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*
     *cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*
     *cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:*:*:*:*:*:*:*
     *cpe:2.3:a:siemens:desigo_cc_advanced_reports:

Added CPE Configuration

OR
     *cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.12

Added CPE Configuration

OR
     *cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
     *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
     *cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Added CPE Configuration

OR
     *cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Changed Reference Type

http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html No Types Assigned

http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html No Types Assigned

http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html Exploit, Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html No Types Assigned

http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html Exploit, Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html No Types Assigned

http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html No Types Assigned

http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html No Types Assigned

http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html No Types Assigned

http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html Third Party Advisory, VDB Entry

Changed Reference Type

http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html No Types Assigned

http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html Third Party Advisory, VDB Entry

Changed Reference Type

http://www.openwall.com/lists/oss-security/2021/12/13/1 No Types Assigned

http://www.openwall.com/lists/oss-security/2021/12/13/1 Mailing List, Third Party Advisory

Changed Reference Type

http://www.openwall.com/lists/oss-security/2021/12/13/2 No Types Assigned

http://www.openwall.com/lists/oss-security/2021/12/13/2 Mailing List, Third Party Advisory

Changed Reference Type

http://www.openwall.com/lists/oss-security/2021/12/14/4 No Types Assigned

http://www.openwall.com/lists/oss-security/2021/12/14/4 Mailing List, Third Party Advisory

Changed Reference Type

http://www.openwall.com/lists/oss-security/2021/12/15/3 No Types Assigned

http://www.openwall.com/lists/oss-security/2021/12/15/3 Mailing List, Third Party Advisory

Changed Reference Type

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf No Types Assigned

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf Third Party Advisory

Changed Reference Type

https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf No Types Assigned

https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf Third Party Advisory

Changed Reference Type

https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html No Types Assigned

https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html Mailing List, Third Party Advisory

Changed Reference Type

https://lists.fedoraproject.org/archives/list/[email protected]/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/ No Types Assigned

https://lists.fedoraproject.org/archives/list/[email protected]/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/ Third Party Advisory

Changed Reference Type

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ No Types Assigned

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Mitigation, Third Party Advisory

Changed Reference Type

https://twitter.com/kurtseifried/status/1469345530182455296 No Types Assigned

https://twitter.com/kurtseifried/status/1469345530182455296 Exploit, Third Party Advisory

Changed Reference Type

https://www.debian.org/security/2021/dsa-5020 No Types Assigned

https://www.debian.org/security/2021/dsa-5020 Third Party Advisory

Changed Reference Type

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html No Types Assigned

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html Third Party Advisory

Changed Reference Type

https://www.kb.cert.org/vuls/id/930724 No Types Assigned

https://www.kb.cert.org/vuls/id/930724 Third Party Advisory, US Government Resource

CVE Modified by Apache Software Foundation 12/16/2021 12:15:08 PM Action Type Old Value New Value Added Reference

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ [No Types Assigned]

CVE Modified by Apache Software Foundation 12/16/2021 9:15:08 AM Action Type Old Value New Value Added Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf [No Types Assigned]

CVE Modified by Apache Software Foundation 12/15/2021 5:15:07 PM Action Type Old Value New Value Added Reference

http://www.openwall.com/lists/oss-security/2021/12/15/3 [No Types Assigned]

CVE Modified by Apache Software Foundation 12/15/2021 1:15:07 PM Action Type Old Value New Value Added Reference

http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html [No Types Assigned]

Added Reference

http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html [No Types Assigned]

Added Reference

http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html [No Types Assigned]

CVE Modified by Apache Software Foundation 12/15/2021 12:15:07 PM Action Type Old Value New Value Changed Description Record truncated, showing 500 of 645 characters.
View Entire Change Record

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely

Record truncated, showing 500 of 644 characters.
View Entire Change Record

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely

Added Reference

http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html [No Types Assigned]

Added Reference

http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html [No Types Assigned]

Removed Reference

http://www.openwall.com/lists/oss-security/2021/12/15/1 [No Types Assigned]

CVE Modified by Apache Software Foundation 12/15/2021 11:15:07 AM Action Type Old Value New Value Changed Description Record truncated, showing 500 of 716 characters.
View Entire Change Record

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatM

Record truncated, showing 500 of 645 characters.
View Entire Change Record

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely

Added Reference

http://www.openwall.com/lists/oss-security/2021/12/15/1 [No Types Assigned]

CVE Modified by Apache Software Foundation 12/14/2021 11:15:06 PM Action Type Old Value New Value Added Reference

https://www.kb.cert.org/vuls/id/930724 [No Types Assigned]

CVE Modified by Apache Software Foundation 12/14/2021 10:15:06 PM Action Type Old Value New Value Added Reference

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html [No Types Assigned]

CVE Modified by Apache Software Foundation 12/14/2021 2:15:07 PM Action Type Old Value New Value Added Reference

http://www.openwall.com/lists/oss-security/2021/12/14/4 [No Types Assigned]

CVE Modified by Apache Software Foundation 12/14/2021 1:15:08 PM Action Type Old Value New Value Added Reference

http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html [No Types Assigned]

Added Reference

http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html [No Types Assigned]

Added Reference

http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html [No Types Assigned]

CVE Modified by Apache Software Foundation 12/13/2021 8:15:08 PM Action Type Old Value New Value Added Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf [No Types Assigned]

CVE Modified by Apache Software Foundation 12/13/2021 7:15:07 PM Action Type Old Value New Value Changed Description Record truncated, showing 500 of 916 characters.
View Entire Change Record

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatM

Record truncated, showing 500 of 716 characters.
View Entire Change Record

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatM

Added Reference

https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html [No Types Assigned]

Added Reference

https://twitter.com/kurtseifried/status/1469345530182455296 [No Types Assigned]

Added Reference

https://www.debian.org/security/2021/dsa-5020 [No Types Assigned]

CVE Modified by Apache Software Foundation 12/13/2021 5:15:07 PM Action Type Old Value New Value Added Reference

http://www.openwall.com/lists/oss-security/2021/12/13/1 [No Types Assigned]

Added Reference

http://www.openwall.com/lists/oss-security/2021/12/13/2 [No Types Assigned]

CVE Modified by Apache Software Foundation 12/13/2021 3:15:07 PM Action Type Old Value New Value Added Reference

https://lists.fedoraproject.org/archives/list/[email protected]/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/ [No Types Assigned]

Initial Analysis by NIST 12/13/2021 10:00:11 AM Action Type Old Value New Value Added CVSS V3.1

NIST AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Added CVSS V2

NIST (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Added CWE

NIST CWE-502

Added CPE Configuration

OR
     *cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
     *cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions from (including) 2.0.1 up to (excluding) 2.15.0

Changed Reference Type

http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html No Types Assigned

http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html Third Party Advisory, VDB Entry

Changed Reference Type

http://www.openwall.com/lists/oss-security/2021/12/10/1 No Types Assigned

http://www.openwall.com/lists/oss-security/2021/12/10/1 Mailing List, Mitigation, Third Party Advisory

Changed Reference Type

http://www.openwall.com/lists/oss-security/2021/12/10/2 No Types Assigned

http://www.openwall.com/lists/oss-security/2021/12/10/2 Mailing List, Mitigation, Third Party Advisory

Changed Reference Type

http://www.openwall.com/lists/oss-security/2021/12/10/3 No Types Assigned

http://www.openwall.com/lists/oss-security/2021/12/10/3 Mailing List, Third Party Advisory

Changed Reference Type

https://logging.apache.org/log4j/2.x/security.html No Types Assigned

https://logging.apache.org/log4j/2.x/security.html Release Notes, Vendor Advisory

Changed Reference Type

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 No Types Assigned

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 Third Party Advisory

Changed Reference Type

https://security.netapp.com/advisory/ntap-20211210-0007/ No Types Assigned

https://security.netapp.com/advisory/ntap-20211210-0007/ Vendor Advisory

Changed Reference Type

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd No Types Assigned

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd Third Party Advisory

Changed Reference Type

https://www.oracle.com/security-alerts/alert-cve-2021-44228.html No Types Assigned

https://www.oracle.com/security-alerts/alert-cve-2021-44228.html Third Party Advisory

CVE Modified by Apache Software Foundation 12/13/2021 7:15:07 AM Action Type Old Value New Value Changed Description Record truncated, showing 500 of 716 characters.
View Entire Change Record

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatM

Record truncated, showing 500 of 916 characters.
View Entire Change Record

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatM

CVE Modified by Apache Software Foundation 12/13/2021 6:15:10 AM Action Type Old Value New Value Added Reference

https://www.oracle.com/security-alerts/alert-cve-2021-44228.html [No Types Assigned]

CVE Modified by Apache Software Foundation 12/12/2021 12:15:07 PM Action Type Old Value New Value Changed Description Record truncated, showing 500 of 916 characters.
View Entire Change Record

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatM

Record truncated, showing 500 of 716 characters.
View Entire Change Record

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatM

Removed Reference

https://www.debian.org/security/2021/dsa-5020 [No Types Assigned]

CVE Modified by Apache Software Foundation 12/12/2021 6:15:08 AM Action Type Old Value New Value Added Reference

https://www.debian.org/security/2021/dsa-5020 [No Types Assigned]

CVE Modified by Apache Software Foundation 12/11/2021 12:15:12 AM Action Type Old Value New Value Added Reference

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 [No Types Assigned]

CVE Modified by Apache Software Foundation 12/10/2021 5:15:08 PM Action Type Old Value New Value Added Reference

http://www.openwall.com/lists/oss-security/2021/12/10/3 [No Types Assigned]

Added Reference

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd [No Types Assigned]

CVE Modified by Apache Software Foundation 12/10/2021 1:15:08 PM Action Type Old Value New Value Added Reference

http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html [No Types Assigned]

Added Reference

https://security.netapp.com/advisory/ntap-20211210-0007/ [No Types Assigned]

CVE Modified by Apache Software Foundation 12/10/2021 8:15:07 AM Action Type Old Value New Value Added Reference

http://www.openwall.com/lists/oss-security/2021/12/10/1 [No Types Assigned]

Added Reference

http://www.openwall.com/lists/oss-security/2021/12/10/2 [No Types Assigned]

Quick InfoCVE Dictionary Entry:
CVE-2021-44228
NVD Published Date:
12/10/2021
NVD Last Modified:
04/03/2025
Source:
Apache Software Foundation

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4