Mageia 2021-0566: log4j security update

Advisories

MGASA-2021-0566 - Updated log4j packages fix security vulnerability

Publication date: 19 Dec 2021
URL: https://advisories.mageia.org/MGASA-2021-0566.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0
was incomplete in certain non-default configurations. This could allows
attackers with control over Thread Context Map (MDC) input data when the
logging configuration uses a non-default Pattern Layout with either a
Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map
pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI
Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0
makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by
default. Log4j 2.16.0 fixes this issue by removing support for message
lookup patterns and disabling JNDI functionality by default
(CVE-2021-45046).

References:
- https://bugs.mageia.org/show_bug.cgi?id=29766
- https://www.openwall.com/lists/oss-security/2021/12/14/4
- https://github.com/advisories/GHSA-7rjr-3q55-vv33
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

SRPMS:
- 8/core/log4j-2.16.0-1.mga8

Mageia 2021-0566: log4j security update

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations

Summary

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default (CVE-2021-45046).

References

- https://bugs.mageia.org/show_bug.cgi?id=29766

- https://www.openwall.com/lists/oss-security/2021/12/14/4

- https://github.com/advisories/GHSA-7rjr-3q55-vv33

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Resolution

MGASA-2021-0566 - Updated log4j packages fix security vulnerability

SRPMS

- 8/core/log4j-2.16.0-1.mga8

Severity
Publication date: 19 Dec 2021
URL: https://advisories.mageia.org/MGASA-2021-0566.html
Type: security
CVE: CVE-2021-45046

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.