CVE-2021-44228 | Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Exp

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Published: 2021-12-10 Last update: 2026-02-20 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2021-44228 is rated Critical Active Threat (100/100): CVSS Critical severity, with high exploitation likelihood (EPSS 100.00%, 100th percentile). CISA KEV confirms active exploitation (added 2021-12-10) affecting Apache / Log4j2. a weakness (CWE-20) Unauthenticated remote administrative access may be possible. EPSS rose +5.64% over the last day, indicating growing attacker interest. The CISA remediation deadline has passed—treat as an emergency patch priority.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

CISA KEV Record for CVE-2021-44228

Name: Apache Log4j2 Remote Code Execution Vulnerability · CISA KEV detail

Exploit added: 2021-12-10

Action due: 2021-12-24

Required action: For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.

Public exploit references (Exploit-DB) for CVE-2021-44228

EDB-ID Source Kind Published Link
51183 exploit_db edb 2023-04-01 Exploit-DB ↗
50590 exploit_db edb 2021-12-14 Exploit-DB ↗
50592 exploit_db edb 2021-12-14 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2021-44228

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 94.36% 100.00% +5.64%
2 2026-05-25 94.45% 94.36% -0.09%
3 2026-05-22 94.45%

Full EPSS history (79 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-44228

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
10.0 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 6.0 [email protected]
10.0 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 6.0 134c704f-9b21-4f2e-91b3-4a467353bcc0
9.3 2.0 HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 8.6 10.0 [email protected]

Weakness enumeration for CVE-2021-44228

GitHub Security Advisory for CVE-2021-44228

GHSA-jfh8-c2jp-5v3q · Severity: critical · Ecosystem: maven — Remote code injection in Log4j

OS Trackers for CVE-2021-44228

vendor priority summary link
debian unimportant CVE-2021-44228 unimportant priority: Debian including 2 source packages (apache-log4j1.2, apache-log4j2), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10. https://security-tracker.debian.org/tracker/CVE-2021-44228
redhat critical https://access.redhat.com/security/cve/CVE-2021-44228
suse critical CVE-2021-44228 severity critical: SUSE including 61 source package names (10.1.33-openjdk11-59.4:jakarta-servlet-5.0.0-5.3.1, 10.1.33-openjdk17-59.4:jakarta-servlet-5.0.0-5.3.1, …), 283 product×package rows across 85 product lines (Container containers/apache-tomcat, Container suse/manager/5.0/x86_64/server, … (85 product lines)): Fixed 146, Known Not Affected 137. https://www.suse.com/security/cve/CVE-2021-44228/
ubuntu high CVE-2021-44228 high priority: Ubuntu including 1 source packages (apache-log4j2), 8 status rows across 8 suites (bionic, focal, hirsute, impish, jammy, trusty, upstream, xenial): released 6, DNE 1, not-affected 1. https://ubuntu.com/security/CVE-2021-44228

Affected software / configurations for CVE-2021-44228

Vendor Product Version Raw CPE
siemens 6bk1602-0aa12-0tp0_firmware < 2.7.0 cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:*
siemens 6bk1602-0aa22-0tp0_firmware < 2.7.0 cpe:2.3:o:siemens:6bk1602-0aa22-0tp0_firmware:*:*:*:*:*:*:*:*
siemens 6bk1602-0aa32-0tp0_firmware < 2.7.0 cpe:2.3:o:siemens:6bk1602-0aa32-0tp0_firmware:*:*:*:*:*:*:*:*
siemens 6bk1602-0aa42-0tp0_firmware < 2.7.0 cpe:2.3:o:siemens:6bk1602-0aa42-0tp0_firmware:*:*:*:*:*:*:*:*
siemens 6bk1602-0aa52-0tp0_firmware < 2.7.0 cpe:2.3:o:siemens:6bk1602-0aa52-0tp0_firmware:*:*:*:*:*:*:*:*
apache log4j >= 2.0.1, < 2.3.1 cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
apache log4j >= 2.4.0, < 2.12.2 cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
apache log4j >= 2.13.0, < 2.15.0 cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
apache log4j 2.0 cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
apache log4j 2.0 cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
apache log4j 2.0 cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
apache log4j 2.0 cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
siemens sppa-t3000_ses3000_firmware cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*
siemens capital < 2019.1 cpe:2.3:a:siemens:capital:*:*:*:*:*:*:*:*
siemens capital 2019.1 cpe:2.3:a:siemens:capital:2019.1:-:*:*:*:*:*:*
siemens capital 2019.1 cpe:2.3:a:siemens:capital:2019.1:sp1912:*:*:*:*:*:*
siemens comos < 10.4.2 cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*
siemens desigo_cc_advanced_reports 3.0 cpe:2.3:a:siemens:desigo_cc_advanced_reports:3.0:*:*:*:*:*:*:*
siemens desigo_cc_advanced_reports 4.0 cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*
siemens desigo_cc_advanced_reports 4.1 cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*
siemens desigo_cc_advanced_reports 4.2 cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:*:*:*:*:*:*:*
siemens desigo_cc_advanced_reports 5.0 cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:*:*:*:*:*:*:*
siemens desigo_cc_advanced_reports 5.1 cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:*:*:*:*:*:*:*
siemens desigo_cc_info_center 5.0 cpe:2.3:a:siemens:desigo_cc_info_center:5.0:*:*:*:*:*:*:*
siemens desigo_cc_info_center 5.1 cpe:2.3:a:siemens:desigo_cc_info_center:5.1:*:*:*:*:*:*:*
siemens e-car_operation_center < 2021-12-13 cpe:2.3:a:siemens:e-car_operation_center:*:*:*:*:*:*:*:*
siemens energy_engage 3.1 cpe:2.3:a:siemens:energy_engage:3.1:*:*:*:*:*:*:*
siemens energyip 8.5 cpe:2.3:a:siemens:energyip:8.5:*:*:*:*:*:*:*
siemens energyip 8.6 cpe:2.3:a:siemens:energyip:8.6:*:*:*:*:*:*:*
siemens energyip 8.7 cpe:2.3:a:siemens:energyip:8.7:*:*:*:*:*:*:*
siemens energyip 9.0 cpe:2.3:a:siemens:energyip:9.0:*:*:*:*:*:*:*
siemens energyip_prepay < 3.8.0.12 cpe:2.3:a:siemens:energyip_prepay:*:*:*:*:*:*:*:*
siemens gma-manager < 8.6.2j-398 cpe:2.3:a:siemens:gma-manager:*:*:*:*:*:*:*:*
siemens head-end_system_universal_device_integration_system cpe:2.3:a:siemens:head-end_system_universal_device_integration_system:*:*:*:*:*:*:*:*
siemens industrial_edge_management cpe:2.3:a:siemens:industrial_edge_management:*:*:*:*:*:*:*:*
siemens industrial_edge_management_hub < 2021-12-13 cpe:2.3:a:siemens:industrial_edge_management_hub:*:*:*:*:*:*:*:*
siemens logo\!_soft_comfort cpe:2.3:a:siemens:logo\!_soft_comfort:*:*:*:*:*:*:*:*
siemens mendix cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*
siemens mindsphere < 2021-12-16 cpe:2.3:a:siemens:mindsphere:*:*:*:*:*:*:*:*
siemens navigator < 2021-12-13 cpe:2.3:a:siemens:navigator:*:*:*:*:*:*:*:*
siemens nx cpe:2.3:a:siemens:nx:*:*:*:*:*:*:*:*
siemens opcenter_intelligence >= 3.2, < 3.5 cpe:2.3:a:siemens:opcenter_intelligence:*:*:*:*:*:*:*:*
siemens operation_scheduler <= 1.1.3 cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:*
siemens sentron_powermanager 4.1 cpe:2.3:a:siemens:sentron_powermanager:4.1:*:*:*:*:*:*:*
siemens sentron_powermanager 4.2 cpe:2.3:a:siemens:sentron_powermanager:4.2:*:*:*:*:*:*:*
siemens siguard_dsa >= 4.2, < 4.4.1 cpe:2.3:a:siemens:siguard_dsa:*:*:*:*:*:*:*:*
siemens sipass_integrated 2.80 cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*
siemens sipass_integrated 2.85 cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*
siemens siveillance_command <= 4.16.2.1 cpe:2.3:a:siemens:siveillance_command:*:*:*:*:*:*:*:*
siemens siveillance_control_pro cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*
siemens siveillance_identity 1.5 cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*
siemens siveillance_identity 1.6 cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*
siemens siveillance_vantage cpe:2.3:a:siemens:siveillance_vantage:*:*:*:*:*:*:*:*
siemens siveillance_viewpoint cpe:2.3:a:siemens:siveillance_viewpoint:*:*:*:*:*:*:*:*
siemens solid_edge_cam_pro cpe:2.3:a:siemens:solid_edge_cam_pro:*:*:*:*:*:*:*:*
siemens solid_edge_harness_design < 2020 cpe:2.3:a:siemens:solid_edge_harness_design:*:*:*:*:*:*:*:*
siemens solid_edge_harness_design 2020 cpe:2.3:a:siemens:solid_edge_harness_design:2020:*:*:*:*:*:*:*
siemens solid_edge_harness_design 2020 cpe:2.3:a:siemens:solid_edge_harness_design:2020:-:*:*:*:*:*:*
siemens solid_edge_harness_design 2020 cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002:*:*:*:*:*:*
siemens spectrum_power_4 < 4.70 cpe:2.3:a:siemens:spectrum_power_4:*:*:*:*:*:*:*:*
siemens spectrum_power_4 4.70 cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*
siemens spectrum_power_4 4.70 cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*
siemens spectrum_power_4 4.70 cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8:*:*:*:*:*:*
siemens spectrum_power_7 < 2.30 cpe:2.3:a:siemens:spectrum_power_7:*:*:*:*:*:*:*:*
siemens spectrum_power_7 2.30 cpe:2.3:a:siemens:spectrum_power_7:2.30:*:*:*:*:*:*:*
siemens spectrum_power_7 2.30 cpe:2.3:a:siemens:spectrum_power_7:2.30:-:*:*:*:*:*:*
siemens spectrum_power_7 2.30 cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2:*:*:*:*:*:*
siemens teamcenter cpe:2.3:a:siemens:teamcenter:*:*:*:*:*:*:*:*
siemens vesys < 2019.1 cpe:2.3:a:siemens:vesys:*:*:*:*:*:*:*:*
siemens vesys 2019.1 cpe:2.3:a:siemens:vesys:2019.1:*:*:*:*:*:*:*
siemens vesys 2019.1 cpe:2.3:a:siemens:vesys:2019.1:-:*:*:*:*:*:*
siemens vesys 2019.1 cpe:2.3:a:siemens:vesys:2019.1:sp1912:*:*:*:*:*:*
siemens vesys 2020.1 cpe:2.3:a:siemens:vesys:2020.1:-:*:*:*:*:*:*
siemens vesys 2021.1 cpe:2.3:a:siemens:vesys:2021.1:-:*:*:*:*:*:*
siemens xpedition_enterprise cpe:2.3:a:siemens:xpedition_enterprise:-:*:*:*:*:*:*:*
siemens xpedition_package_integrator cpe:2.3:a:siemens:xpedition_package_integrator:-:*:*:*:*:*:*:*
intel computer_vision_annotation_tool cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*
intel datacenter_manager < 5.1 cpe:2.3:a:intel:datacenter_manager:*:*:*:*:*:*:*:*
intel genomics_kernel_library cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*
intel oneapi_sample_browser cpe:2.3:a:intel:oneapi_sample_browser:-:*:*:*:*:eclipse:*:*

References for CVE-2021-44228

URL Tags
http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html Broken Link Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2022/Dec/2 Exploit Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2022/Jul/11 Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2022/Mar/23 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/10/1 Mailing List Mitigation Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/10/2 Mailing List Mitigation Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/10/3 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/13/1 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/13/2 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/14/4 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/15/3 Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf Third Party Advisory
https://github.com/cisagov/log4j-affected-db Third Party Advisory
https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md Broken Link Product US Government Resource
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228 Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/ Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/ Release Notes
https://logging.apache.org/log4j/2.x/security.html Release Notes Vendor Advisory
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ Patch Third Party Advisory Vendor Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032 Third Party Advisory
https://security.netapp.com/advisory/ntap-20211210-0007/ Third Party Advisory
https://support.apple.com/kb/HT213189 Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd Third Party Advisory
https://twitter.com/kurtseifried/status/1469345530182455296 Broken Link Exploit Third Party Advisory
https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001 Third Party Advisory
https://www.debian.org/security/2021/dsa-5020 Mailing List Third Party Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html Third Party Advisory
https://www.kb.cert.org/vuls/id/930724 Third Party Advisory US Government Resource
https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html Exploit Third Party Advisory
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228 Third Party Advisory US Government Resource
cvelogic Threat Intelligence