ID

VAR-202112-0566

CVE

CVE-2021-44228

TITLE

Apache Log4j allows insecure JNDI lookups

DESCRIPTION

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j.CVE-2021-4104 Affected CVE-2021-44228 Affected CVE-2021-45046 AffectedCVE-2021-4104 Affected CVE-2021-44228 Affected CVE-2021-45046 Affected. Solution: For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update: https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html For Red Hat OpenShift Logging 5.1, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html 4. JIRA issues fixed (https://issues.jboss.org/): LOG-1971 - Applying cluster state is causing elasticsearch to hit an issue and become unusable 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat build of Eclipse Vert.x 4.1.5 SP1 security update Advisory ID: RHSA-2021:5093-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2021:5093 Issue date: 2021-12-14 CVE Names: CVE-2021-44228 ==================================================================== 1. Summary: An update is now available for Red Hat build of Eclipse Vert.x. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE pages listed in the References section. 2. Description: This release of Red Hat build of Eclipse Vert.x 4.1.5 SP1 includes security updates. For more information, see the release notes listed in the References section. Security Fix(es): * log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value 5. References: https://access.redhat.com/security/cve/CVE-2021-44228 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product\xcatRhoar.eclipse.vertx&version=4.1.5.SP1 https://access.redhat.com/security/vulnerabilities/RHSB-2021-009 https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.1/html/release_notes_for_eclipse_vert.x_4.1/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYbj1DdzjgjWX9erEAQhxyA/8DjakF9qQUEpnpBiM22WJ7YmI0NTZ0pwh 6pIex/TSODetn5yq5CWBV0Y5jm7UiIkpECSiSakJHprnLZyXZ522bmtyRVnagnfk 7V+hUbVr9J/PbQ4PJEpLH6mrcNTgwW29itCuQAdBJ7a3oD/cm4MOcP3QpJffVtwR t0/Ke01AHRY6A+C3r711hTn0qtVFVXrV8qxL2+poWZZC6eVuJXb8MNgI0D2vbrWb OLYDYDjppSAi4LO9bHW1CNENywCFHQbaPPoMeq4tyHeiwM83UmiARHzRjRXu6twI A9KBktWwqXR5DB2UL1ei967y0rcNLDcAGml9J5quqy9ibHkgpVPuSLT3PXuSbC+A OGof+p3wjqjbdxRIslxaQOT/xnRCFpHetMtEIfC5335i+8gDsWMiIJxH9AyrlTxF nXasFv9NIjewmU1F6QnRBLcZi7Zq7PUWQ4knFBoNOWRnew2F8R464RzR5VS/oliy m0UUoRFHQaLkXD7G6vKha68tIDPsk2cHaZG66gplHyvKBc3gNPDIOsk+zinQTBx/ yoBiqyDnSAAYUGUU4g7+/Hrqmv490k3/z+aaxpU8LIXeNdrlDkecpa5IFKHwDXD/ +TFJHH93Q8zJ8XiFGR8IjLjtz6HcHNwW3MqJW25u6S7gq8qGZCIvlAmsLJfcX5V9 Vms+hKYLCSU=nW2M -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Description: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. ========================================================================= Ubuntu Security Notice USN-5192-2 December 17, 2021 apache-log4j2 vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Apache Log4j 2 could be made to crash or run programs as an administrator if it received a specially crafted input. This update provides the corresponding update for Ubuntu 16.04 ESM. Original advisory details: Chen Zhaojun discovered that Apache Log4j 2 allows remote attackers to run programs via a special crafted input. An attacker could use this vulnerability to cause a denial of service or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: liblog4j2-java 2.4-2ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Installation instructions are available from the Fuse product documentation pages: Fuse 7.8: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/installing_on_apache_karaf/apply-hotfix-patch https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deploying_into_spring_boot/patch-red-hat-fuse-applications Fuse 7.9: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/installing_on_apache_karaf/apply-hotfix-patch https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/deploying_into_spring_boot/patch-red-hat-fuse-applications Fuse 7.10: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/installing_on_apache_karaf/apply-hotfix-patch https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/deploying_into_spring_boot/patch-red-hat-fuse-applications 4. VMware Unified Access Gateway VMware Carbon Black Workload Appliance VMware Site Recovery Manager, vSphere Replication VMware Tanzu GemFire VMware Tanzu GemFire for VMs VMware Tanzu Operations Manager VMware Tanzu Application Service for VMs VMware Horizon Agents Installer You are receiving this alert because you are subscribed to the VMware Security Announcements mailing list. To modify your subscription or unsubscribe please visit https://lists.vmware.com/mailman/listinfo/security-announce

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

code execution

CONFIGURATIONS

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES