Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
86 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,18 +1,97 @@ | ||
{ | ||
"data_type": "CVE", | ||
"data_format": "MITRE", | ||
"data_version": "4.0", | ||
"CVE_data_meta": { | ||
"ASSIGNER": "security@apache.org", | ||
"ID": "CVE-2021-44228", | ||
"ASSIGNER": "cve@mitre.org", | ||
"STATE": "RESERVED" | ||
"STATE": "PUBLIC", | ||
"TITLE": "Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints" | ||
}, | ||
"affects": { | ||
"vendor": { | ||
"vendor_data": [ | ||
{ | ||
"product": { | ||
"product_data": [ | ||
{ | ||
"product_name": "Apache Log4j", | ||
"version": { | ||
"version_data": [ | ||
{ | ||
"version_affected": "<=", | ||
"version_name": "Apache Log4j 2", | ||
"version_value": "2.14.1" | ||
} | ||
] | ||
} | ||
} | ||
] | ||
}, | ||
"vendor_name": "Apache Software Foundation" | ||
} | ||
] | ||
} | ||
}, | ||
"credit": [ | ||
{ | ||
"lang": "eng", | ||
"value": "This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team." | ||
} | ||
], | ||
"data_format": "MITRE", | ||
"data_type": "CVE", | ||
"data_version": "4.0", | ||
"description": { | ||
"description_data": [ | ||
{ | ||
"lang": "eng", | ||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." | ||
"value": "Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. \n\nIn previous releases (>2.10) this behavior can be mitigated by setting system property \"log4j2.formatMsgNoLookups\" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting \"com.sun.jndi.rmi.object.trustURLCodebase\" and \"com.sun.jndi.cosnaming.object.trustURLCodebase\" to \"false\"." | ||
} | ||
] | ||
}, | ||
"generator": { | ||
"engine": "Vulnogram 0.0.9" | ||
}, | ||
"impact": [ | ||
{ | ||
"other": "critical" | ||
} | ||
], | ||
"problemtype": { | ||
"problemtype_data": [ | ||
{ | ||
"description": [ | ||
{ | ||
"lang": "eng", | ||
"value": "CWE-502 Deserialization of Untrusted Data" | ||
} | ||
] | ||
}, | ||
{ | ||
"description": [ | ||
{ | ||
"lang": "eng", | ||
"value": "CWE-400 Uncontrolled Resource Consumption" | ||
} | ||
] | ||
}, | ||
{ | ||
"description": [ | ||
{ | ||
"lang": "eng", | ||
"value": "CWE-20 Improper Input Validation" | ||
} | ||
] | ||
} | ||
] | ||
}, | ||
"references": { | ||
"reference_data": [ | ||
{ | ||
"refsource": "CONFIRM", | ||
"url": "https://logging.apache.org/log4j/2.x/security.html" | ||
} | ||
] | ||
}, | ||
"source": { | ||
"discovery": "UNKNOWN" | ||
} | ||
} | ||
} |