log4j-core is vulnerable to remote code execution. Lack of limiting JNDI access to data source names allows an attacker with privilege to modify logging configuration to send malicious configuration via JDBC Appender with a data source referencing a JNDI URI.
www.openwall.com/lists/oss-security/2021/12/28/1
cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf
github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16
issues.apache.org/jira/browse/LOG4J2-3293
lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
lists.debian.org/debian-lts-announce/2021/12/msg00036.html
lists.fedoraproject.org/archives/list/[email protected]/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/
lists.fedoraproject.org/archives/list/[email protected]/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/
security.netapp.com/advisory/ntap-20220104-0001/
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpujul2022.html