ID

VAR-202112-0566

CVE

CVE-2021-44228

TITLE

Debian Security Advisory 5020-1

DESCRIPTION

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. This update also fixes CVE-2020-9488 in the oldstable distribution (buster). Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. For the oldstable distribution (buster), this problem has been fixed in version 2.15.0-1~deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 2.15.0-1~deb11u1. We recommend that you upgrade your apache-log4j2 packages. For the detailed security status of apache-log4j2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache-log4j2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG0+YVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQvXA/+LIMVC0X80Qc6No564VodtTN3Ci0NyaUcQyZG8Gyo2tPuwKEpOUpmom7f wcZvQgKvwxs3Ad1M5Zt/6Ql3v0KbwzBah0v8KUV86B6g4yb+Wno7iKQR1mN47bpz 2SJPzf6IECwtmz3zYI3fLuJJ/dvAMRlQ+nhPsC8/zJGJgfFHFmDyfG8TtlrYLUHS Pjpov4C/VllQGJ5MjyVF93OqTCy4V7WxH/RgT1YBOs71KNCq5yPoch35geytSQoM Kk59qFLQgST2kYhLVxRRbdQAAhbA7W5XythKqphon6nRmlJPHSGkXMf9s0N3cm6K Zkmvo2/A29FiceZj/bSM4/qw7gqbsJfpSMcTKmxhReolsXAJVj4mGu9cZZTAP7Tb g8fl8kGljFd01ka0208eFyILHCR2bAF2xgS1nG6TCc170azDkvW38fZHHkLQIPbF TOwxoNv8dHgyT6pfI+BDYKy9pNvrLk/jqXkOpry6nY+Ji/RcjGBDIR3VP25VsMk8 6zwERE1LX0IvwiaSFBg6oyWW4siINZzFyVXryLvRr/YBIAYKGv+Y1Wn8ageACItW 2SZjLbK4uBTOHyvPITBgOZSYD7kYcTPxdbb8ntw7Uo489hYXzjYlloTBoUPg1G3o gyZnRfW0yYf2bA63I7vVBDTITt8K4H1UkUDEOIUjXGekFLqDnGw= =BY2+ -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat Data Grid 8.2.2 security update Advisory ID: RHSA-2021:5132-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2021:5132 Issue date: 2021-12-14 CVE Names: CVE-2021-44228 ===================================================================== 1. Summary: An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.2.2 replaces Data Grid 8.2.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.2.2 in the Release Notes [3]. Security Fix(es): * log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To install this update, do the following: 1. Download the Data Grid 8.2.2 server patch from the customer portal[²]. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 8.2.2 server patch. Refer to the 8.2.2 Release Notes[³] for patching instructions. 4. Restart Data Grid to ensure the changes take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value 5. References: https://access.redhat.com/security/cve/CVE-2021-44228 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381&product=data.grid&version=8.2&downloadType=patches https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html-single/red_hat_data_grid_8.2_release_notes/index https://access.redhat.com/security/vulnerabilities/RHSB-2021-009 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYblI0NzjgjWX9erEAQj7mw//TtZnFmrLI6Ts7uC19MnLA/vVPXT1i2Qz R1CZ4T7QCZkiJCNXvwYHj7iQgOm5o/seXRE38qGtJWqiyrZMGHVQnDl1Vuhm31jg 6lxhpjn0kKKZanznosCxF3U2ovLhrEx+5in4piNiyV6CKkkgBV7UvESGWlIKiumq 1r79DAQ7WdYPoOk+m+b5p/okFJXyD0FcEbrqZcgJQCmR9zyJ6DGAy4N9+cgEgGaC QoVZaXa+pUEVjiAOAg0XNcb+GyYSMFwkPUR14NI0V2OHIo97aBg9AG1HrOj3QmSG 5LR/8zWQbfSbtTIzR67gBGF8F8nvnEeBARYje97Cx2FcHGDFisLHM8OGqFNjU5+I HepIdPjwcoy3kPDSfQ9WXx7Iz03tMCbhMWUhH9MRYuUAzCHgsAryZ4AnTBa+Hn7B 7WHuVf24eFcoJysoWGsbQZDzN5oxqIRXP2mA5k7MVemHV5L+7KV15KyJWaDqTdI+ DTpw8kP/WboloegmZmaqbPLlfvl91G8LjU5yfLaa+rNHkbyT4G1c3iQm5yLWlsYW yfGf+XiZPoF5S6862qdx7YPZG0yTkaUYU0Spnr8eV9wt9uUIp57jczrBzgBKYlN0 BdNv9DgqbGvhmdz/k95gRZUpdYAvF6J4+Y4h9uXgxqfdGZjFCSlegOG8gleCnvEw dfFqyyf+3ZQ= =be8O -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. The References section of this erratum contains a download link (you must log in to download the update). JIRA issues fixed (https://issues.jboss.org/): LOG-1775 - [release-5.2] Syslog output is serializing json incorrectly LOG-1824 - [release-5.2] Rejected by Elasticsearch and unexpected json-parsing LOG-1963 - [release-5.2] CLO panic: runtime error: slice bounds out of range [:-1] LOG-1970 - Applying cluster state is causing elasticsearch to hit an issue and become unusable 6. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. ========================================================================= Ubuntu Security Notice USN-5192-2 December 17, 2021 apache-log4j2 vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Apache Log4j 2 could be made to crash or run programs as an administrator if it received a specially crafted input. This update provides the corresponding update for Ubuntu 16.04 ESM. Original advisory details: Chen Zhaojun discovered that Apache Log4j 2 allows remote attackers to run programs via a special crafted input. An attacker could use this vulnerability to cause a denial of service or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: liblog4j2-java 2.4-2ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-03-14-7 Xcode 13.3 Xcode 13.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213189. iTMSTransporter Available for: macOS Monterey 12 and later Impact: Multiple issues in iTMSTransporter Description: Multiple issues were addressed with updating FasterXML jackson-databind and Apache Log4j2. CVE-2019-14379 CVE-2021-44228 otool Available for: macOS Monterey 12 and later Impact: Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2022-22601: hjy79425575 CVE-2022-22602: hjy79425575 CVE-2022-22603: hjy79425575 CVE-2022-22604: hjy79425575 CVE-2022-22605: hjy79425575 CVE-2022-22606: hjy79425575 CVE-2022-22607: hjy79425575 CVE-2022-22608: hjy79425575 Additional recognition iTMSTransporter We would like to acknowledge Anthony Shaw of Microsoft for their assistance. ld64 We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of Alibaba Security Pandora Lab for their assistance. Xcode IDE We would like to acknowledge an anonymous researcher for their assistance. Xcode 13.3 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "Xcode 13.3". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. Solution: See the following documentation, which will be updated shortly for release 3.11.z, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html This update is available via the Red Hat Network. VMware Unified Access Gateway VMware Carbon Black Workload Appliance VMware Site Recovery Manager, vSphere Replication VMware Tanzu GemFire VMware Tanzu GemFire for VMs VMware Tanzu Operations Manager VMware Tanzu Application Service for VMs VMware Horizon Agents Installer You are receiving this alert because you are subscribed to the VMware Security Announcements mailing list. To modify your subscription or unsubscribe please visit https://lists.vmware.com/mailman/listinfo/security-announce

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

code execution

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS