CVE-2021-44832 is a configuration-dependent remote code execution vulnerability in Apache Log4j2. It affects Log4j2 versions 2.0-beta7 through 2.17.0, excluding the security fix releases 2.3.2 and 2.12.4. The flaw is exposed when Log4j2 is configured to use a JDBC Appender with a JNDI LDAP data source URI. If an attacker can modify the Log4j2 configuration and point that JDBC Appender to an attacker-controlled LDAP server, Log4j2 can be induced to resolve the malicious JNDI reference and execute attacker-controlled code. The issue was fixed by restricting JNDI data source names to the java protocol in Log4j2 2.17.1, 2.12.4, and 2.3.2.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository is a defensive Log4Shell lab rather than a standalone offensive exploit drop, but it does contain working exploit components. The structure combines: (1) a vulnerable target container (`log4shell-app`, based on a public Spring Boot Log4j 2.14.1 image), (2) an nginx reverse proxy with the Coraza WAF and OWASP CRS plus custom Log4Shell rules, (3) an attacker container that builds and packages multiple JNDI exploitation toolkits, and (4) Suricata/Wazuh monitoring for network and SIEM visibility. The main exploit capability lives under `attacker/`. `attacker/exploit-classes/Exploit.java` is a malicious Java class intended to be loaded through a JNDI/LDAP reference. Its static initializer executes immediately on class load and performs proof-of-exploitation actions: OS-specific command execution to write a marker file, creation of `/tmp/log4shell-exploited.txt`, and an optional reverse shell routine that connects to `172.20.0.2:4444`. There is also a stubbed environment-information collection method. This makes the repo more than a detector: it includes an actual RCE payload class. `attacker/scripts/start-ldap-server.sh` operationalizes exploitation by launching one of three JNDI infrastructures: marshalsec, JNDI-Exploit-Kit, or rogue-jndi. These are configured to serve the malicious class or execute simple commands/callbacks. `attacker/scripts/test-payloads.sh` is a payload spray/test harness that sends many Log4Shell payload variants to the nginx proxy using common injection points such as `User-Agent` and `X-Forwarded-For`. It includes LDAP, RMI, DNS, nested-expression, env/sys fallback, Unicode, whitespace, and colon-dash obfuscation variants. This script is primarily for validation of WAF/IDS coverage, but it also demonstrates realistic attack strings. The rest of the repository is focused on detection and containment. `coraza/config/log4shell-rules.conf` defines custom Coraza rules for standard and obfuscated JNDI patterns, alternate protocols, JSON/XML body inspection, and anomaly-score blocking. `nginx/` contains a multi-stage Docker build that compiles libcoraza and the coraza-nginx module, installs OWASP CRS, and exposes HTTP/HTTPS reverse proxying to the vulnerable app. `suricata/rules/log4shell.rules` adds network signatures for inbound JNDI payloads and outbound LDAP/RMI/DNS/HTTP callbacks that would indicate successful exploitation. Overall purpose: provide an isolated lab to demonstrate the full Log4Shell attack chain and, more importantly, how nginx+Coraza and Suricata can detect/block it. Because the repository includes a real malicious Java payload and scripts to stand up LDAP/JNDI exploit servers, it should be classified as a valid exploit-capable lab with operational payloads, not merely documentation or a pure detection script.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A related configuration-based remote code execution vulnerability in Apache Log4j affecting Log4j 2.17.0.
Another remote code execution vulnerability in Log4j, specifically via the JDBC Appender, mentioned as part of the broader Log4j vulnerability chain.
A Log4j-related vulnerability referenced as part of the broader 'Log4Shell' cluster; the content treats these CVEs collectively as enabling exploitation leading to code execution and post-exploitation payload deployment in affected environments (including VMware Horizon).
A remote code execution vulnerability in Apache Log4j referenced as part of the Log4Shell-related vulnerabilities affecting Log4j-embedded applications.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.