CVE-2021-44832 [Medium] | Input Validation Bypass in Log4j

CVE-2021-44832 is rated Moderate Risk (63.9/100): CVSS Medium severity, with high exploitation likelihood (EPSS 53.65%, 98th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +3.20% over the last day, indicating growing attacker interest. High exploitation likelihood—assess exposure and prioritize remediation.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-20	50.44%	53.65%	+3.20%
2	2026-05-01	53.65%	50.44%	-3.20%
3	2026-04-14	—	53.65%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-05-20

50.44%

53.65%

+3.20%

2026-05-01

53.65%

50.44%

-3.20%

2026-04-14

—

53.65%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.6	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:H) They need powerful rights—admin, root, or similar—before this pays off. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	0.7	5.9	[email protected]
6.6	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:H) They need powerful rights—admin, root, or similar—before this pays off. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	0.7	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0
8.5	2.0	HIGH	`AV:N/AC:M/Au:S/C:C/I:C/A:C` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:S) A single authentication is required. Confidentiality impact (C:C) Complete confidentiality impact. Integrity impact (I:C) Complete integrity impact. Availability impact (A:C) Complete availability impact.	6.8	10.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.6

3.1

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H): They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

0.7

5.9

[email protected]

6.6

3.1

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H): They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

0.7

5.9

134c704f-9b21-4f2e-91b3-4a467353bcc0

8.5

2.0

HIGH

AV:N/AC:M/Au:S/C:C/I:C/A:C Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:S): A single authentication is required.
Confidentiality impact (C:C): Complete confidentiality impact.
Integrity impact (I:C): Complete integrity impact.
Availability impact (A:C): Complete availability impact.

6.8

10.0

[email protected]

OS Trackers for CVE-2021-44832

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2021-44832 not yet assigned priority: Debian including 1 source packages (apache-log4j2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2021-44832
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2021-44832
`suse`	medium	CVE-2021-44832 severity moderate: SUSE including 25 source package names (5.0.0-beta1.2.122:log4j-2.17.0-4.16.1, 5.0.0-beta1.2.122:log4j-jcl-2.17.0-4.16.1, …), 134 product×package rows across 66 product lines (Container suse/manager/5.0/x86_64/server, Container suse/manager/5.0/x86_64/server-attestation, … (66 product lines)): Fixed 73, Known Not Affected 61.	https://www.suse.com/security/cve/CVE-2021-44832/
`ubuntu`	medium	CVE-2021-44832 medium priority: Ubuntu including 1 source packages (apache-log4j2), 15 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): ignored 4, released 4, needs-triage 3, not-affected 2, DNE 1, needed 1.	https://ubuntu.com/security/CVE-2021-44832

Affected software / configurations for CVE-2021-44832

Vendor	Product	Version	Raw CPE
apache	log4j	>= 2.0.1, < 2.3.2	cpe:2.3:a:apache:log4j::::::::
apache	log4j	>= 2.4, < 2.12.4	cpe:2.3:a:apache:log4j::::::::
apache	log4j	>= 2.13.0, < 2.17.1	cpe:2.3:a:apache:log4j::::::::
apache	log4j	2.0	cpe:2.3:a:apache:log4j:2.0:-::::::
apache	log4j	2.0	cpe:2.3:a:apache:log4j:2.0:beta7::::::
apache	log4j	2.0	cpe:2.3:a:apache:log4j:2.0:beta8::::::
apache	log4j	2.0	cpe:2.3:a:apache:log4j:2.0:beta9::::::
apache	log4j	2.0	cpe:2.3:a:apache:log4j:2.0:rc1::::::
apache	log4j	2.0	cpe:2.3:a:apache:log4j:2.0:rc2::::::
oracle	communications_diameter_signaling_router	>= 8.0.0.0, <= 8.5.1.0	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
oracle	communications_interactive_session_recorder	6.3	cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:::::::*
oracle	communications_interactive_session_recorder	6.4	cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:::::::*
oracle	primavera_gateway	>= 17.12.0, <= 17.12.11	cpe:2.3:a:oracle:primavera_gateway::::::::
oracle	primavera_gateway	>= 18.8.0, <= 18.8.13	cpe:2.3:a:oracle:primavera_gateway::::::::
oracle	primavera_gateway	>= 19.12.0, <= 19.12.12	cpe:2.3:a:oracle:primavera_gateway::::::::
oracle	primavera_gateway	>= 20.12.0, <= 20.12.7	cpe:2.3:a:oracle:primavera_gateway::::::::
oracle	primavera_gateway	21.12.0	cpe:2.3:a:oracle:primavera_gateway:21.12.0:::::::*
oracle	primavera_p6_enterprise_project_portfolio_management	>= 19.12.0, <= 19.12.18.0	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
oracle	primavera_p6_enterprise_project_portfolio_management	>= 20.12.0.0, <= 20.12.12.0	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
oracle	primavera_p6_enterprise_project_portfolio_management	21.12.0.0	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:::::::*
oracle	primavera_unifier	18.8	cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
oracle	primavera_unifier	19.12	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
oracle	primavera_unifier	20.12	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
oracle	primavera_unifier	21.12	cpe:2.3:a:oracle:primavera_unifier:21.12:::::::*
oracle	retail_assortment_planning	16.0.3	cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:::::::*
oracle	retail_fiscal_management	14.2	cpe:2.3:a:oracle:retail_fiscal_management:14.2:::::::*
oracle	siebel_ui_framework	21.12	cpe:2.3:a:oracle:siebel_ui_framework:21.12:::::::*
oracle	weblogic_server	12.2.1.3.0	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
oracle	weblogic_server	12.2.1.4.0	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
oracle	weblogic_server	14.1.1.0.0	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*
cisco	cloudcenter	4.10.0.16	cpe:2.3:a:cisco:cloudcenter:4.10.0.16:::::::*
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
fedoraproject	fedora	35	cpe:2.3:o:fedoraproject:fedora:35:::::::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
oracle	communications_brm_-_elastic_charging_engine	< 12.0.0.4.6	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine::::::::
oracle	communications_brm_-_elastic_charging_engine	12.0.0.5.0	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:::::::*
oracle	communications_diameter_signaling_router	>= 8.3.0.0, <= 8.5.1.0	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
oracle	communications_offline_mediation_controller	< 12.0.0.4.4	cpe:2.3:a:oracle:communications_offline_mediation_controller::::::::
oracle	communications_offline_mediation_controller	12.0.0.5.0	cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:::::::*
oracle	flexcube_private_banking	12.1.0	cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:::::::*
oracle	health_sciences_data_management_workbench	2.5.2.1	cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:::::::*
oracle	health_sciences_data_management_workbench	3.0.0.0	cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:::::::*
oracle	health_sciences_data_management_workbench	3.1.0.3	cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.1.0.3:::::::*
oracle	policy_automation	>= 12.2.0, <= 12.2.24	cpe:2.3:a:oracle:policy_automation::::::::
oracle	policy_automation_for_mobile_devices	>= 12.2.0, <= 12.2.24	cpe:2.3:a:oracle:policy_automation_for_mobile_devices::::::::
oracle	primavera_p6_enterprise_project_portfolio_management	>= 19.12.0.0, <= 19.12.18.0	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
oracle	product_lifecycle_analytics	3.6.1	cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:::::::*
oracle	retail_order_broker	18.0	cpe:2.3:a:oracle:retail_order_broker:18.0:::::::*
oracle	retail_order_broker	19.1	cpe:2.3:a:oracle:retail_order_broker:19.1:::::::*
oracle	retail_xstore_point_of_service	17.0.4	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
oracle	retail_xstore_point_of_service	18.0.3	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
oracle	retail_xstore_point_of_service	19.0.2	cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
oracle	retail_xstore_point_of_service	20.0.1	cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:::::::*
oracle	retail_xstore_point_of_service	21.0.1	cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.1:::::::*
oracle	siebel_ui_framework	<= 21.12	cpe:2.3:a:oracle:siebel_ui_framework::::::::

References for CVE-2021-44832

URL	Tags
http://www.openwall.com/lists/oss-security/2021/12/28/1	Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf	Third Party Advisory
https://issues.apache.org/jira/browse/LOG4J2-3293	Issue Tracking Patch Vendor Advisory
https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
https://security.netapp.com/advisory/ntap-20220104-0001/	Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory

URL

CVE-2021-44832 | Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

Exploit prediction scoring system (EPSS) score for CVE-2021-44832

Common vulnerability scoring system (CVSS) metrics for CVE-2021-44832

Weakness enumeration for CVE-2021-44832

GitHub Security Advisory for CVE-2021-44832

OS Trackers for CVE-2021-44832

Affected software / configurations for CVE-2021-44832

References for CVE-2021-44832