ID

VAR-202112-0566

CVE

CVE-2021-44228

TITLE

Apache Log4j allows insecure JNDI lookups

DESCRIPTION

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j.CVE-2021-4104 Affected CVE-2021-44228 Affected CVE-2021-45046 AffectedCVE-2021-4104 Affected CVE-2021-44228 Affected CVE-2021-45046 Affected. Apache Log4j is a Java-based open source logging tool of the Apache Foundation. Apache log4j2 has a denial of service vulnerability. When improperly configured, an attacker can exploit this vulnerability to cause a denial of service attack. JIRA issues fixed (https://issues.jboss.org/): LOG-1775 - [release-5.2] Syslog output is serializing json incorrectly LOG-1824 - [release-5.2] Rejected by Elasticsearch and unexpected json-parsing LOG-1963 - [release-5.2] CLO panic: runtime error: slice bounds out of range [:-1] LOG-1970 - Applying cluster state is causing elasticsearch to hit an issue and become unusable 6. The purpose of this text-only errata is to inform you about the security issues fixed. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat JBoss Enterprise Application Platform 7.4 security update Advisory ID: RHSA-2021:5140-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:5140 Issue date: 2021-12-15 CVE Names: CVE-2021-44228 ==================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4. Security Fix(es): * log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value 5. References: https://access.redhat.com/security/cve/CVE-2021-44228 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=7.4 https://access.redhat.com/solutions/6577421 https://access.redhat.com/security/vulnerabilities/RHSB-2021-009 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYbmdF9zjgjWX9erEAQg7Bg//QTWXVl6Au/rNu96FO/u13bKZFX6Rj1Ev 6q++z9GpMumsxMxpXAkNGLk8rsB23XXC0gnOJjP8u0cZ+qN9l+Z1KG25bvJywm8t VrRcwsxlvxzOODp8ongvkJ20rARAHEyMtSjTy/NkSNiZUBHWTqw0u7LDwaaO+r8T fEmRC3t4GJ1gUiqjMeLWjpi7bvl4GcXDHD+Jbf4a10PHYZAC5I0Oh4j/DJYH31CT cbKOd4CCiuERnbR1Y/ZCWNxpgonwCD12Q+bXbmTc+/oGW0zmqI5OwXgy2w56yCdy EYXUfPK2e0EoFCcQxa4yC2YmRS6VRix1KYLy5XKaHFaV4RRqkbsL2yDCr4/EUeRy a7jeJK7wcbpbR0iKijQJuF00+pqpOmBn5sqV5P+IUyD7Iwt6C5OqsRinLS6OWP7D 85iS55Vf7bY8ZLvz8x7v3IsFx6vuLV6YD8S504oKrX5aQI/pUYz9XVH7hMAlhFdB wlETMdxdk6oiEpPwi9/DBse0/aFGLuXW9vDD5X6BzW9ZZs+cpyJGtWH6ep5lVear Fi4N7Easy+iT/K8g9tJOiTy9O2SIr5S2AJvmu7j9YqXtm2qOPuY8U8FjaXXFVDgF maPElBFrg9V46XaBp1IQXH3UZ6869nP9XMt2kh8rCm3zHbA6R5kzaXW93hbzKJcl abX8PaJHiOs=v55Q -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Solution: See the following documentation, which will be updated shortly for release 3.11.z, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html This update is available via the Red Hat Network

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

code execution

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES