MGASA-2021-0566 - Updated log4j packages fix security vulnerability

Publication date: 19 Dec 2021
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0
was incomplete in certain non-default configurations. This could allows
attackers with control over Thread Context Map (MDC) input data when the
logging configuration uses a non-default Pattern Layout with either a
Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map
pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI
Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0
makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by
default. Log4j 2.16.0 fixes this issue by removing support for message
lookup patterns and disabling JNDI functionality by default


- 8/core/log4j-2.16.0-1.mga8