Details of VAR-202112-0562

ID

VAR-202112-0562

CVE

CVE-2021-45046

TITLE

Apache Log4j allows insecure JNDI lookups

Trust: 0.8

sources: CERT/CC: VU#930724

DESCRIPTION

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default. Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j.CVE-2021-4104 Affected CVE-2021-44228 Affected CVE-2021-45046 AffectedCVE-2021-4104 Affected CVE-2021-44228 Affected CVE-2021-45046 Affected. Apache Log4j is a Java-based open source logging tool of the Apache Foundation. Apache log4j2 has a denial of service vulnerability. When improperly configured, an attacker can exploit this vulnerability to cause a denial of service attack. Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html 4. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Installation instructions are available from the Fuse product documentation pages: Fuse 7.8: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/installing_on_apache_karaf/apply-hotfix-patch https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deploying_into_spring_boot/patch-red-hat-fuse-applications Fuse 7.9: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/installing_on_apache_karaf/apply-hotfix-patch https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/deploying_into_spring_boot/patch-red-hat-fuse-applications Fuse 7.10: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/installing_on_apache_karaf/apply-hotfix-patch https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/deploying_into_spring_boot/patch-red-hat-fuse-applications 4. The References section of this erratum contains a download link for the update. You must be logged in to download the update. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat JBoss Enterprise Application Platform 7.4.4 security update Advisory ID: RHSA-2022:1297-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:1297 Issue date: 2022-04-11 CVE Names: CVE-2021-4104 CVE-2021-44832 CVE-2021-45046 CVE-2021-45105 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ===================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.4 for RHEL 8 - noarch, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. JIRA issues fixed (https://issues.jboss.org/): JBEAP-22105 - (7.4.z) Upgrade from com.io7m.xom:xom 1.2.10 to xom:xom 1.3.7 JBEAP-22385 - (7.4.z) Upgrade ASM from 7.1 to 9.1 JBEAP-22731 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00032 to 2.16.0.redhat-00034 JBEAP-22738 - (7.4.z) Upgrade jbossws-cxf from 5.4.2.Final to 5.4.4.Final(Fix UsernameTokenElytronTestCase on SE 17) JBEAP-22819 - [GSS] (7.4.z) HAL-1762 - Aliases are removed from the credential store when passwords are updated from the admin console JBEAP-22839 - [GSS](7.4.z) Upgrade yasson from 1.0.9.redhat-00001 to 1.0.10.redhat-00001 JBEAP-22864 - (7.4.z) Upgrade HAL from 3.3.8.Final-redhat-00001 to 3.3.9.Final-redhat-00001 JBEAP-22900 - Tracker bug for the EAP 7.4.4 release for RHEL-8 JBEAP-22904 - (7.4.z) Upgrade Hibernate ORM from 5.3.24.Final-redhat-00001 to 5.3.25.Final-redhat-00002 JBEAP-22911 - (7.4.z) Upgrade OpenSSL from 2.1.3.Final-redhat-00001 to 2.2.0.Final-redhat-00001 JBEAP-22912 - (7.4.z) Upgrade OpenSSL Natives from 2.1.0.SP01-redhat-00001 to 2.2.0.Final-redhat-00001 JBEAP-22913 - (7.4.z) Upgrade WildFly Core from 15.0.6.Final-redhat-00003 to 15.0.7.Final-redhat-00001 JBEAP-22935 - (7.4.z) Upgrade jboss-vfs from 3.2.15.Final-redhat-00001 to 3.2.16.Final-redhat-00001 JBEAP-22945 - (7.4.z) Upgrade org.apache.logging.log4j from 2.14.0.redhat-00002 to 2.17.1.redhat-00001 JBEAP-22973 - (7.4.z) Upgrade Elytron from 1.15.9.Final-redhat-00001 to 1.15.11.Final-redhat-00002 JBEAP-23038 - (7.4.z) Upgrade galleon-plugins from 5.1.4.Final to 5.2.6.Final JBEAP-23040 - (7.4.z) Upgrade galleon-plugins in wildfly-core-eap from 5.1.4.Final to 5.2.6.Final JBEAP-23045 - (7.4.z) Upgrade Undertow from 2.2.13.SP2-redhat-00001 to 2.2.16.Final-redhat-0001 JBEAP-23101 - (7.4.z) Upgrade Infinispan from 11.0.12.Final to 11.0.15.Final JBEAP-23105 - (7.4.z) Upgrade Narayana from 5.11.3.Final-redhat-00001 to 5.11.4.Final-redhat-00001 JBEAP-23143 - (7.4.z) Upgrade from org.eclipse.jdt.core.compiler:ecj:4.6.1 to org.eclipse.jdt:ecj:3.26 JBEAP-23177 - (7.4.z) Upgrade XNIO from 3.8.5.SP1-redhat-00001 to 3.8.6.Final-redhat-00001 JBEAP-23323 - [GSS](7.4.z) WFLY-16112 - Batch JobOperatorService should look for only active job names to stop during suspend JBEAP-23373 - (7.4.z) Upgrade OpenSSL from 2.2.0.Final-redhat-00001 to 2.2.0.Final-redhat-00002 JBEAP-23374 - (7.4.z) Upgrade WildFly Core from 15.0.7.Final-redhat-00001 to 15.0.8.Final-redhat-00001 JBEAP-23375 - (7.4.z) Upgrade OpenSSL Natives from 2.2.0.Final-redhat-00001 to 2.2.0.Final-redhat-00002 7. Package List: Red Hat JBoss EAP 7.4 for RHEL 8: Source: eap7-activemq-artemis-2.16.0-7.redhat_00034.1.el8eap.src.rpm eap7-ecj-3.26.0-1.redhat_00002.1.el8eap.src.rpm eap7-hal-console-3.3.9-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-5.3.25-1.Final_redhat_00002.1.el8eap.src.rpm eap7-infinispan-11.0.15-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.10.0-15.Final_redhat_00014.1.el8eap.src.rpm eap7-jboss-vfs-3.2.16-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-xnio-base-3.8.6-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jbossws-cxf-5.4.4-1.Final_redhat_00001.1.el8eap.src.rpm eap7-log4j-2.17.1-1.redhat_00001.1.el8eap.src.rpm eap7-narayana-5.11.4-1.Final_redhat_00001.1.el8eap.src.rpm eap7-objectweb-asm-9.1.0-1.redhat_00002.1.el8eap.src.rpm eap7-undertow-2.2.16-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-7.4.4-3.GA_redhat_00011.1.el8eap.src.rpm eap7-wildfly-elytron-1.15.11-1.Final_redhat_00002.1.el8eap.src.rpm eap7-wildfly-openssl-2.2.0-3.Final_redhat_00002.1.el8eap.src.rpm eap7-wildfly-openssl-el8-x86_64-2.2.0-2.Final_redhat_00002.1.el8eap.src.rpm eap7-xom-1.3.7-1.redhat_00001.1.el8eap.src.rpm eap7-yasson-1.0.10-1.redhat_00001.1.el8eap.src.rpm noarch: eap7-activemq-artemis-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-cli-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-commons-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-core-client-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-dto-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-client-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-server-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-journal-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-ra-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-selector-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-server-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-tools-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-ecj-3.26.0-1.redhat_00002.1.el8eap.noarch.rpm eap7-hal-console-3.3.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-hibernate-core-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-hibernate-entitymanager-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-hibernate-envers-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-hibernate-java8-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-infinispan-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-jdbc-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-remote-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-client-hotrod-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-commons-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-component-annotations-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-core-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-server-migration-1.10.0-15.Final_redhat_00014.1.el8eap.noarch.rpm eap7-jboss-server-migration-cli-1.10.0-15.Final_redhat_00014.1.el8eap.noarch.rpm eap7-jboss-server-migration-core-1.10.0-15.Final_redhat_00014.1.el8eap.noarch.rpm eap7-jboss-vfs-3.2.16-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-xnio-base-3.8.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jbossws-cxf-5.4.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-log4j-2.17.1-1.redhat_00001.1.el8eap.noarch.rpm eap7-narayana-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-compensations-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jbosstxbridge-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jbossxts-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jts-idlj-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jts-integration-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-api-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-bridge-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-integration-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-util-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-txframework-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-objectweb-asm-9.1.0-1.redhat_00002.1.el8eap.noarch.rpm eap7-undertow-2.2.16-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-7.4.4-3.GA_redhat_00011.1.el8eap.noarch.rpm eap7-wildfly-elytron-1.15.11-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-elytron-tool-1.15.11-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-javadocs-7.4.4-3.GA_redhat_00011.1.el8eap.noarch.rpm eap7-wildfly-modules-7.4.4-3.GA_redhat_00011.1.el8eap.noarch.rpm eap7-wildfly-openssl-2.2.0-3.Final_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-openssl-java-2.2.0-3.Final_redhat_00002.1.el8eap.noarch.rpm eap7-xom-1.3.7-1.redhat_00001.1.el8eap.noarch.rpm eap7-yasson-1.0.10-1.redhat_00001.1.el8eap.noarch.rpm x86_64: eap7-wildfly-openssl-el8-x86_64-2.2.0-2.Final_redhat_00002.1.el8eap.x86_64.rpm eap7-wildfly-openssl-el8-x86_64-debuginfo-2.2.0-2.Final_redhat_00002.1.el8eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2021-44832 https://access.redhat.com/security/cve/CVE-2021-45046 https://access.redhat.com/security/cve/CVE-2021-45105 https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlRUqtzjgjWX9erEAQhXfxAApQ6HkBUo8Tg+GWEosSpAx0AEsVPMojWK HU3uJRF8jp0KXqchc+KVlalBJAWHPBUDr4xBpsISqwr7T/9iYonKlo4ijA/68b2K khbFyt6o6i2dXrYygT5fcMtukSjN2T/hfCc2ZE2yiHTO3Ou4AALyZ2xCyYtfSpuZ rZLVvgCWrnak2msgkoNl0/sZxnjw6b+ZJczKkq3QqPVWOYlV/Qdl5NGy16i0rbEo P1rWXJrOUlEBctJEs756cqeIJesYKHZqqPx/kHaNyzdxDh99hKGZx7oturscAN6e sPfSSdyd5jsOcWD7UlHV9ukoPQxf1ouVBa0qkpL0wCoR3GFF6Pls1bMEFzUoz3/R IwagVxsr38duK3isv34l6IQ+RP0oSWN0rgPUu69tAlEV+YwLgA5JUOpz1i7FTmXt l3i5+wMlo9Xc/Hy+j7unW8Do7s/i0YuFVTuM6H9KEITuFjgFA2tB9CpzoAFzWLk0 U8zCL80Rwy1wiMydSrLjtg3YUPB6ibh2NJ02O7R+bNhJ8bN4yuDuWkDqy4VdPXGp zhed3dZmYAXD9/x+mnfghcbJZwigzGT9Qv78zYafB3f8K7cEVEDJK3aZMOkkh9ca dcaLs5WRv8ZTytFPv+KGKRJ/cc/UHAvh8zumMZdVMp1oty/k/OYWhgaEJMWGQDCe UnHI/WwB37w= =eCh2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied

Trust: 2.43

sources: NVD: CVE-2021-45046 // CERT/CC: VU#930724 // VULHUB: VHN-408570 // PACKETSTORM: 165326 // PACKETSTORM: 165343 // PACKETSTORM: 165632 // PACKETSTORM: 165636 // PACKETSTORM: 165637 // PACKETSTORM: 166673 // PACKETSTORM: 166676 // PACKETSTORM: 165650

AFFECTED PRODUCTS

vendor:	intel	model:	secure device onboard	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	mindsphere	scope:	lt	version:	2021-12-11	Trust: 1.0
vendor:	siemens	model:	solid edge harness design	scope:	lt	version:	2020	Trust: 1.0
vendor:	siemens	model:	6bk1602-0aa42-0tp0	scope:	lt	version:	2.7.0	Trust: 1.0
vendor:	siemens	model:	energyip prepay	scope:	eq	version:	3.8	Trust: 1.0
vendor:	siemens	model:	head-end system universal device integration system	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	siveillance vantage	scope:	eq	version:	*	Trust: 1.0
vendor:	intel	model:	system debugger	scope:	eq	version:	-	Trust: 1.0
vendor:	intel	model:	genomics kernel library	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.80	Trust: 1.0
vendor:	siemens	model:	siveillance control pro	scope:	eq	version:	*	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	apache	model:	log4j	scope:	gte	version:	2.13.0	Trust: 1.0
vendor:	intel	model:	sensor solution development kit	scope:	eq	version:	-	Trust: 1.0
vendor:	apache	model:	log4j	scope:	gte	version:	2.0.1	Trust: 1.0
vendor:	siemens	model:	desigo cc advanced reports	scope:	eq	version:	5.0	Trust: 1.0
vendor:	siemens	model:	spectrum power 7	scope:	eq	version:	2.30	Trust: 1.0
vendor:	siemens	model:	industrial edge management	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	desigo cc advanced reports	scope:	eq	version:	5.1	Trust: 1.0
vendor:	apache	model:	log4j	scope:	eq	version:	2.0	Trust: 1.0
vendor:	apache	model:	log4j	scope:	lt	version:	2.12.2	Trust: 1.0
vendor:	intel	model:	datacenter manager	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	siguard dsa	scope:	eq	version:	4.4	Trust: 1.0
vendor:	siemens	model:	teamcenter	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	tracealertserverplus	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	siveillance identity	scope:	eq	version:	1.5	Trust: 1.0
vendor:	siemens	model:	solid edge harness design	scope:	eq	version:	2020	Trust: 1.0
vendor:	siemens	model:	gma-manager	scope:	lt	version:	8.6.2j-398	Trust: 1.0
vendor:	siemens	model:	siveillance viewpoint	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	solid edge cam pro	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	energyip	scope:	eq	version:	8.7	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	34	Trust: 1.0
vendor:	siemens	model:	siveillance identity	scope:	eq	version:	1.6	Trust: 1.0
vendor:	siemens	model:	spectrum power 7	scope:	lt	version:	2.30	Trust: 1.0
vendor:	siemens	model:	navigator	scope:	lt	version:	2021-12-13	Trust: 1.0
vendor:	siemens	model:	energy engage	scope:	eq	version:	3.1	Trust: 1.0
vendor:	siemens	model:	xpedition package integrator	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	sppa-t3000 ses3000	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	spectrum power 4	scope:	lt	version:	4.70	Trust: 1.0
vendor:	cvat	model:	computer vision annotation tool	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	e-car operation center	scope:	lt	version:	2021-12-13	Trust: 1.0
vendor:	siemens	model:	6bk1602-0aa12-0tp0	scope:	lt	version:	2.7.0	Trust: 1.0
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.85	Trust: 1.0
vendor:	siemens	model:	6bk1602-0aa32-0tp0	scope:	lt	version:	2.7.0	Trust: 1.0
vendor:	siemens	model:	captial	scope:	lt	version:	2019.1	Trust: 1.0
vendor:	siemens	model:	6bk1602-0aa52-0tp0	scope:	lt	version:	2.7.0	Trust: 1.0
vendor:	siemens	model:	sentron powermanager	scope:	eq	version:	4.1	Trust: 1.0
vendor:	siemens	model:	logo\! soft comfort	scope:	eq	version:	*	Trust: 1.0
vendor:	intel	model:	audio development kit	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	sentron powermanager	scope:	eq	version:	4.2	Trust: 1.0
vendor:	intel	model:	system studio	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	siveillance command	scope:	lte	version:	4.16.2.1	Trust: 1.0
vendor:	siemens	model:	nx	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	energyip	scope:	eq	version:	8.6	Trust: 1.0
vendor:	siemens	model:	6bk1602-0aa22-0tp0	scope:	lt	version:	2.7.0	Trust: 1.0
vendor:	siemens	model:	energyip prepay	scope:	eq	version:	3.7	Trust: 1.0
vendor:	siemens	model:	opcenter intelligence	scope:	lte	version:	3.2	Trust: 1.0
vendor:	siemens	model:	desigo cc info center	scope:	eq	version:	5.0	Trust: 1.0
vendor:	siemens	model:	spectrum power 4	scope:	eq	version:	4.70	Trust: 1.0
vendor:	siemens	model:	desigo cc info center	scope:	eq	version:	5.1	Trust: 1.0
vendor:	siemens	model:	captial	scope:	eq	version:	2019.1	Trust: 1.0
vendor:	siemens	model:	energyip	scope:	eq	version:	8.5	Trust: 1.0
vendor:	siemens	model:	xpedition enterprise	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	vesys	scope:	eq	version:	2019.1	Trust: 1.0
vendor:	sonicwall	model:	email security	scope:	lt	version:	10.0.12	Trust: 1.0
vendor:	siemens	model:	industrial edge management hub	scope:	lt	version:	2021-12-13	Trust: 1.0
vendor:	siemens	model:	desigo cc advanced reports	scope:	eq	version:	4.0	Trust: 1.0
vendor:	siemens	model:	desigo cc advanced reports	scope:	eq	version:	4.1	Trust: 1.0
vendor:	siemens	model:	mendix	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	comos	scope:	eq	version:	*	Trust: 1.0
vendor:	siemens	model:	desigo cc advanced reports	scope:	eq	version:	4.2	Trust: 1.0
vendor:	siemens	model:	operation scheduler	scope:	lte	version:	1.1.3	Trust: 1.0
vendor:	siemens	model:	siguard dsa	scope:	eq	version:	4.3	Trust: 1.0
vendor:	apache	model:	log4j	scope:	lt	version:	2.16.0	Trust: 1.0
vendor:	intel	model:	oneapi	scope:	eq	version:	-	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	11.0	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	35	Trust: 1.0
vendor:	siemens	model:	energyip	scope:	eq	version:	9.0	Trust: 1.0
vendor:	siemens	model:	vesys	scope:	lt	version:	2019.1	Trust: 1.0
vendor:	siemens	model:	siguard dsa	scope:	eq	version:	4.2	Trust: 1.0

sources: NVD: CVE-2021-45046

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-45046
value:	CRITICAL
Trust: 1.0
134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2021-45046
value:	CRITICAL
Trust: 1.0
VULHUB:	VHN-408570
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-45046
severity:	MEDIUM
baseScore:	5.1
vectorString:	AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	4.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-408570
severity:	MEDIUM
baseScore:	5.1
vectorString:	AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	4.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-45046
baseSeverity:	CRITICAL
baseScore:	9.0
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	6.0
version:	3.1
Trust: 2.0

sources: VULHUB: VHN-408570 // NVD: CVE-2021-45046 // NVD: CVE-2021-45046

PROBLEMTYPE DATA

problemtype:	CWE-917	Trust: 1.0
problemtype:	CWE-502	Trust: 0.1

sources: VULHUB: VHN-408570 // NVD: CVE-2021-45046

THREAT TYPE

remote

Trust: 0.2

sources: PACKETSTORM: 166673 // PACKETSTORM: 166676

TYPE

code execution

Trust: 0.6

sources: PACKETSTORM: 165326 // PACKETSTORM: 165343 // PACKETSTORM: 165632 // PACKETSTORM: 165636 // PACKETSTORM: 165637 // PACKETSTORM: 165650

EXTERNAL IDS

db:	NVD	id:	CVE-2021-45046	Trust: 2.7
db:	CERT/CC	id:	VU#930724	Trust: 1.9
db:	SIEMENS	id:	SSA-661247	Trust: 1.1
db:	SIEMENS	id:	SSA-397453	Trust: 1.1
db:	SIEMENS	id:	SSA-479842	Trust: 1.1
db:	SIEMENS	id:	SSA-714170	Trust: 1.1
db:	OPENWALL	id:	OSS-SECURITY/2021/12/14/4	Trust: 1.1
db:	OPENWALL	id:	OSS-SECURITY/2021/12/18/1	Trust: 1.1
db:	OPENWALL	id:	OSS-SECURITY/2021/12/15/3	Trust: 1.1
db:	PACKETSTORM	id:	165343	Trust: 0.2
db:	PACKETSTORM	id:	165637	Trust: 0.2
db:	PACKETSTORM	id:	165636	Trust: 0.2
db:	PACKETSTORM	id:	165650	Trust: 0.2
db:	PACKETSTORM	id:	165326	Trust: 0.2
db:	PACKETSTORM	id:	165632	Trust: 0.2
db:	PACKETSTORM	id:	165333	Trust: 0.1
db:	PACKETSTORM	id:	165329	Trust: 0.1
db:	PACKETSTORM	id:	165649	Trust: 0.1
db:	PACKETSTORM	id:	165645	Trust: 0.1
db:	CNVD	id:	CNVD-2022-01776	Trust: 0.1
db:	VULHUB	id:	VHN-408570	Trust: 0.1
db:	PACKETSTORM	id:	166673	Trust: 0.1
db:	PACKETSTORM	id:	166676	Trust: 0.1

sources: CERT/CC: VU#930724 // VULHUB: VHN-408570 // PACKETSTORM: 165326 // PACKETSTORM: 165343 // PACKETSTORM: 165632 // PACKETSTORM: 165636 // PACKETSTORM: 165637 // PACKETSTORM: 166673 // PACKETSTORM: 166676 // PACKETSTORM: 165650 // NVD: CVE-2021-45046

REFERENCES

url:	https://www.kb.cert.org/vuls/id/930724	Trust: 1.1
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-log4j-qruknebd	Trust: 1.1
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf	Trust: 1.1
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf	Trust: 1.1
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf	Trust: 1.1
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf	Trust: 1.1
url:	https://logging.apache.org/log4j/2.x/security.html	Trust: 1.1
url:	https://psirt.global.sonicwall.com/vuln-detail/snwlid-2021-0032	Trust: 1.1
url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/alert-cve-2021-44228.html	Trust: 1.1
url:	https://www.debian.org/security/2021/dsa-5022	Trust: 1.1
url:	https://www.cve.org/cverecord?id=cve-2021-44228	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuapr2022.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujan2022.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujul2022.html	Trust: 1.1
url:	http://www.openwall.com/lists/oss-security/2021/12/14/4	Trust: 1.1
url:	http://www.openwall.com/lists/oss-security/2021/12/15/3	Trust: 1.1
url:	http://www.openwall.com/lists/oss-security/2021/12/18/1	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/sig7fzulmnk2xf6fzru4vwydqxnmugaj/	Trust: 1.0
url:	https://security.gentoo.org/glsa/202310-16	Trust: 1.0
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/eokpqgv24rrbbi4tbzudqmm4meh7mxcy/	Trust: 1.0
url:	cve-2021-4104	Trust: 0.8
url:	cve-2021-44228	Trust: 0.8
url:	cve-2021-45046	Trust: 0.8
url:	https://access.redhat.com/security/cve/cve-2021-45046	Trust: 0.8
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-45046	Trust: 0.8
url:	https://bugzilla.redhat.com/):	Trust: 0.8
url:	https://access.redhat.com/security/team/contact/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-44832	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-45105	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2021-45105	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2021-44832	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-4104	Trust: 0.4
url:	https://access.redhat.com/security/vulnerabilities/rhsb-2021-009	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2021-4104	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2021-44228	Trust: 0.3
url:	https://access.redhat.com/security/updates/classification/#critical	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2021-44228	Trust: 0.3
url:	https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/	Trust: 0.3
url:	https://access.redhat.com/security/updates/classification/#low	Trust: 0.3
url:	https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/	Trust: 0.3
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches&product=appplatform&version=7.4	Trust: 0.2
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23307	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23302	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23305	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-23302	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-23305	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-23307	Trust: 0.2
url:	https://issues.jboss.org/):	Trust: 0.2
url:	https://access.redhat.com/articles/11258	Trust: 0.2
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/eokpqgv24rrbbi4tbzudqmm4meh7mxcy/	Trust: 0.1
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/sig7fzulmnk2xf6fzru4vwydqxnmugaj/	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:5141	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-43527	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2021:5107	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-43527	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/deploying_into_spring_boot/patch-red-hat-fuse-applications	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/installing_on_apache_karaf/apply-hotfix-patch	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches&product=jboss.fuse&version=7.09.0	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/installing_on_apache_karaf/apply-hotfix-patch	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches&product=jboss.fuse&version=7.10.0	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/installing_on_apache_karaf/apply-hotfix-patch	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/deploying_into_spring_boot/patch-red-hat-fuse-applications	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0203	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches&product=jboss.fuse&version=7.08.0	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deploying_into_spring_boot/patch-red-hat-fuse-applications	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0216	Trust: 0.1
url:	https://access.redhat.com/solutions/6577421	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0083	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product\xcatrhoar.eclipse.vertx&version=4.1.8	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.1/html/release_notes_for_eclipse_vert.x_4.1/index	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1299	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1297	Trust: 0.1
url:	https://access.redhat.com/security/team/key/	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q1	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=red.hat.integration&version	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0223	Trust: 0.1

CREDITS

Much of the content of this vulnerability note is derived from Apache Log4j Security Vulnerabilities and http://slf4j.org/log4shell.html.This document was written by Art Manion.

Trust: 0.8

sources: CERT/CC: VU#930724

SOURCES

db:	CERT/CC	id:	VU#930724
db:	VULHUB	id:	VHN-408570
db:	PACKETSTORM	id:	165326
db:	PACKETSTORM	id:	165343
db:	PACKETSTORM	id:	165632
db:	PACKETSTORM	id:	165636
db:	PACKETSTORM	id:	165637
db:	PACKETSTORM	id:	166673
db:	PACKETSTORM	id:	166676
db:	PACKETSTORM	id:	165650
db:	NVD	id:	CVE-2021-45046

LAST UPDATE DATE

2025-10-20T02:55:53.001000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#930724	date:	2022-02-07T00:00:00
db:	VULHUB	id:	VHN-408570	date:	2022-10-06T00:00:00
db:	NVD	id:	CVE-2021-45046	date:	2025-03-12T19:52:00.270

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#930724	date:	2021-12-15T00:00:00
db:	VULHUB	id:	VHN-408570	date:	2021-12-14T00:00:00
db:	PACKETSTORM	id:	165326	date:	2021-12-16T15:22:54
db:	PACKETSTORM	id:	165343	date:	2021-12-17T14:05:45
db:	PACKETSTORM	id:	165632	date:	2022-01-20T17:49:05
db:	PACKETSTORM	id:	165636	date:	2022-01-20T17:49:52
db:	PACKETSTORM	id:	165637	date:	2022-01-20T17:50:03
db:	PACKETSTORM	id:	166673	date:	2022-04-11T17:07:22
db:	PACKETSTORM	id:	166676	date:	2022-04-11T17:14:49
db:	PACKETSTORM	id:	165650	date:	2022-01-21T15:29:54
db:	NVD	id:	CVE-2021-45046	date:	2021-12-14T19:15:07.733