MGASA-2021-0556 - Updated log4j packages fix security vulnerability

Publication date: 11 Dec 2021
URL: https://advisories.mageia.org/MGASA-2021-0556.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages,
and parameters do not protect against attacker controlled LDAP and other
JNDI related endpoints. An attacker who can control log messages or log
message parameters can execute arbitrary code loaded from LDAP servers
when message lookup substitution is enabled. From log4j 2.15.0, this
behavior has been disabled by default. (CVE-2021-44228)

References:
- https://bugs.mageia.org/show_bug.cgi?id=29753
- https://www.openwall.com/lists/oss-security/2021/12/10/1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

SRPMS:
- 8/core/log4j-2.13.3-1.1.mga8