ID

VAR-202112-0562

CVE

CVE-2021-45046

TITLE

Apache Log4j allows insecure JNDI lookups

DESCRIPTION

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default. Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j.CVE-2021-4104 Affected CVE-2021-44228 Affected CVE-2021-45046 AffectedCVE-2021-4104 Affected CVE-2021-44228 Affected CVE-2021-45046 Affected. For the oldstable distribution (buster), this problem has been fixed in version 2.16.0-1~deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 2.16.0-1~deb11u1. We recommend that you upgrade your apache-log4j2 packages. For the detailed security status of apache-log4j2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache-log4j2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG7FI5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSqOg//XOye7T/8PKOrrUtHFhH+w2dOC0GujwcIS2mhofVuZQTPYvM5uTZxDTuz rQN+T505t9QaP3sF05gXK6VI675HhgmF3d+vDEnhp8QpZX5HeJrmmX44FewZQAqP yMysAuwG1RJ0Qgs7NmppU/XJBnmhJLsqsW99kcDnNXS67D23e1nUqAEDME5baSoF VPc50Up/yh4DE28Jcs8Mh2cM8UqmeLEQJ8XC3IojQLhmOF1UBJuL4K0sEUqWtJeN TytHya2XdfIIZcRolHe6AUeiLP5JpitbqkVP+hEeruAvk8nTGsLi0HMbWxA9LLcB bB9KKJjf6xndRa/t/IXGMzwr883t5/YLdxbCFcGj9M4Bfj7SAhGdgnJHZaRt1quX Vcqnu1pDHpdFuRX4t6oqF9R0uiBGeupZmGdb1y7os+FU2EbTRYU0rlnhfOsou0ex Vh5sFKFDhgWUQoyuVUMh6eOZ7p92GTzbw5kPkvboa7Xdrs02m7ChLlh8f5ajRFrK WbAcwsBj6RK4dmtdvfO2sVEuRTpFQ3qtecwZUR0pqUIjJ+rfurSGmpPr3iOrBu2s ROol/vLfW5uZd6RxSNbt3twPcwBaZagFQCcDY27Yz0sH6DlQUmWed1KJjbRaZ7fn cqjFisSZxu8d5VoAtjMSP8l95FoAm53r9Q1HCZvXqRhBjFNoYqE= =TNnt -----END PGP SIGNATURE----- . Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html 4. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Installation instructions are available from the Fuse product documentation pages: Fuse 7.8: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/installing_on_apache_karaf/apply-hotfix-patch https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deploying_into_spring_boot/patch-red-hat-fuse-applications Fuse 7.9: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/installing_on_apache_karaf/apply-hotfix-patch https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/deploying_into_spring_boot/patch-red-hat-fuse-applications Fuse 7.10: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/installing_on_apache_karaf/apply-hotfix-patch https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/deploying_into_spring_boot/patch-red-hat-fuse-applications 4. The References section of this erratum contains a download link for the update. You must be logged in to download the update. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Data Grid 8.2.3 security update Advisory ID: RHSA-2022:0205-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2022:0205 Issue date: 2022-01-20 CVE Names: CVE-2021-44832 CVE-2021-45046 CVE-2021-45105 ===================================================================== 1. Summary: An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.2.3 replaces Data Grid 8.2.2 and includes bug fixes and enhancements. Find out more about Data Grid 8.2.3 in the Release Notes [3]. 3. Solution: To install this update, do the following: 1. Download the Data Grid 8.2.3 server patch from the customer portal[²]. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 8.2.3 server patch. Refer to the 8.2.3 Release Notes[³] for patching instructions. 4. Restart Data Grid to ensure the changes take effect. 4. References: https://access.redhat.com/security/cve/CVE-2021-44832 https://access.redhat.com/security/cve/CVE-2021-45046 https://access.redhat.com/security/cve/CVE-2021-45105 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=data.grid&version=8.2 https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html-single/red_hat_data_grid_8.2_release_notes/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYemZbtzjgjWX9erEAQgkThAAhlH9r6fZ08ZbIvy7t5FNceA93qd12PsL bJEZ9axgCc1hrxm5hK2W6x55a2tKQ0ieoFlkF87qZ5FSsEmOWfvCa5Jsr04bGkhI QBiyZvX+de8ZAUcbiXwgsb3LwfY5DAOoLZVZj7tWsxXcl9CG/MGqI452b5jB4oWa 5TXa8YHSz9/vQHtJGmjyuZYJGfH63XvLUu6qHEgCHKhXEQg5p9YrfjbdZWk77mSk N+dqHpXJFo2G+UURxBy615ebIgxA1dUR6pdbCfm/fbUAxnxWPubjNLLGShCUNBP9 /WgSMiv5GT48yhpK0IdTpPmQUAQW3fkgEd58vytgDuQf/7NhsbNFlsj3hugnAmY9 B/Jtwri/dCaOy0EDlDTc22OX7uDXaoSd9t5kjFAiZMOhxRE0hXawGfCxdGq/rgV6 EblcKQ3zW/3lsTj5KdI+0M0kNA6y1i0KP+Iujs12WLzWDANcpyvpuNu5qIMoM16Y iy4QLJkWFcH99toKO6/bEFgINq3C84sDEQNUpgwga+ct5mxsZycn3vSl9QcuoWQD FX9lwXBaxGuvBb/K3pwXfJuRQOFn2tDpwqN0PnyG/4+QLHunSPuQ8vcVx+oG9a2K LpiYxMQawsJiOjEyNUdRt7DDBpU/mVO+pf7lCY/4F5S+xOJ6E6LkJ213aSGaYPBd QiLGYFSmmLk= =y5SE -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. JIRA issues fixed (https://issues.jboss.org/): JBEAP-22105 - (7.4.z) Upgrade from com.io7m.xom:xom 1.2.10 to xom:xom 1.3.7 JBEAP-22385 - (7.4.z) Upgrade ASM from 7.1 to 9.1 JBEAP-22731 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00032 to 2.16.0.redhat-00034 JBEAP-22738 - (7.4.z) Upgrade jbossws-cxf from 5.4.2.Final to 5.4.4.Final(Fix UsernameTokenElytronTestCase on SE 17) JBEAP-22819 - [GSS] (7.4.z) HAL-1762 - Aliases are removed from the credential store when passwords are updated from the admin console JBEAP-22839 - [GSS](7.4.z) Upgrade yasson from 1.0.9.redhat-00001 to 1.0.10.redhat-00001 JBEAP-22864 - (7.4.z) Upgrade HAL from 3.3.8.Final-redhat-00001 to 3.3.9.Final-redhat-00001 JBEAP-22904 - (7.4.z) Upgrade Hibernate ORM from 5.3.24.Final-redhat-00001 to 5.3.25.Final-redhat-00002 JBEAP-22911 - (7.4.z) Upgrade OpenSSL from 2.1.3.Final-redhat-00001 to 2.2.0.Final-redhat-00001 JBEAP-22912 - (7.4.z) Upgrade OpenSSL Natives from 2.1.0.SP01-redhat-00001 to 2.2.0.Final-redhat-00001 JBEAP-22913 - (7.4.z) Upgrade WildFly Core from 15.0.6.Final-redhat-00003 to 15.0.7.Final-redhat-00001 JBEAP-22935 - (7.4.z) Upgrade jboss-vfs from 3.2.15.Final-redhat-00001 to 3.2.16.Final-redhat-00001 JBEAP-22945 - (7.4.z) Upgrade org.apache.logging.log4j from 2.14.0.redhat-00002 to 2.17.1.redhat-00001 JBEAP-22973 - (7.4.z) Upgrade Elytron from 1.15.9.Final-redhat-00001 to 1.15.11.Final-redhat-00002 JBEAP-23038 - (7.4.z) Upgrade galleon-plugins from 5.1.4.Final to 5.2.6.Final JBEAP-23040 - (7.4.z) Upgrade galleon-plugins in wildfly-core-eap from 5.1.4.Final to 5.2.6.Final JBEAP-23045 - (7.4.z) Upgrade Undertow from 2.2.13.SP2-redhat-00001 to 2.2.16.Final-redhat-0001 JBEAP-23101 - (7.4.z) Upgrade Infinispan from 11.0.12.Final to 11.0.15.Final JBEAP-23105 - (7.4.z) Upgrade Narayana from 5.11.3.Final-redhat-00001 to 5.11.4.Final-redhat-00001 JBEAP-23143 - (7.4.z) Upgrade from org.eclipse.jdt.core.compiler:ecj:4.6.1 to org.eclipse.jdt:ecj:3.26 JBEAP-23177 - (7.4.z) Upgrade XNIO from 3.8.5.SP1-redhat-00001 to 3.8.6.Final-redhat-00001 JBEAP-23323 - [GSS](7.4.z) WFLY-16112 - Batch JobOperatorService should look for only active job names to stop during suspend JBEAP-23373 - (7.4.z) Upgrade OpenSSL from 2.2.0.Final-redhat-00001 to 2.2.0.Final-redhat-00002 JBEAP-23374 - (7.4.z) Upgrade WildFly Core from 15.0.7.Final-redhat-00001 to 15.0.8.Final-redhat-00001 JBEAP-23375 - (7.4.z) Upgrade OpenSSL Natives from 2.2.0.Final-redhat-00001 to 2.2.0.Final-redhat-00002 6. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202310-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Ubiquiti UniFi: remote code execution via bundled log4j Date: October 26, 2023 Bugs: #828853 ID: 202310-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A vulnerability has been discovered in unifi where bundled log4j can facilitate a remote code execution Background ========= Ubiquiti UniFi is a Management Controller for Ubiquiti Networks UniFi APs. Please review the CVE identifier referenced below for details. Impact ===== An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. Workaround ========= There is no known workaround at this time. Resolution ========= All Ubiquity UniFi users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-wireless/unifi-6.5.55" References ========= [ 1 ] CVE-2021-4104 https://nvd.nist.gov/vuln/detail/CVE-2021-4104 [ 2 ] CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45046 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202310-16 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

code execution

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Much of the content of this vulnerability note is derived from Apache Log4j Security Vulnerabilities and http://slf4j.org/log4shell.html.This document was written by Art Manion.

SOURCES

LAST UPDATE DATE

2025-03-26T21:24:54.201000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE