CVE-2021-44832: 
IBM Db2 vulnerability analysis and mitigation

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) were identified as vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. The vulnerability was discovered and disclosed on December 28, 2021 (Apache Mailing List).

The vulnerability allows remote code execution through JDBC Appender when configured with a JNDI LDAP data source URI. The issue received a CVSS v3.1 Base Score of 6.6 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) (NVD). The vulnerability specifically affects the JDBC Appender functionality when using JNDI LDAP data sources, requiring both configuration access and control of the target LDAP server to exploit.

A successful exploitation of this vulnerability could allow an attacker with permission to modify the logging configuration file to execute arbitrary code through a malicious JDBC Appender configuration using JNDI LDAP data source URIs (Rapid7). This could lead to complete system compromise if successfully exploited.

The vulnerability was fixed in Log4j versions 2.17.1, 2.12.4, and 2.3.2 by limiting JNDI data source names to the java protocol (NVD). Organizations are strongly advised to upgrade to these patched versions. The issue is tracked as LOG4J2-3293 (Apache JIRA).

Multiple vendors and organizations released security advisories and patches in response to this vulnerability, including Cisco, NetApp, Oracle, and Debian. Debian released security update DLA 2870-1 to address the vulnerability (Debian). Fedora also released updates for both version 34 and 35 to patch the vulnerability (Fedora).