Skip to main content

Hitachi

Hitachi Incident Response Team

Hitachi Incident Response Team

HIRT-PUB21001 : Apache Log4j Vulnerability

Last Update: January 04, 2022

1. Overview

Multiple vulnerabilities have been found in Apache Log4j.

CVE-2021-44832: Remote Code Execution Vulnerability
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.

CVE-2021-45105: Denial of Service Vulnerability
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.

CVE-2021-45046: Code Execution Vulnerability
Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.

CVE-2021-44228: Remote Code Execution Vulnerability
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

3. References

4. Update history

January 04, 2022
  • This webpage was newly created and published.

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)