Mageia 8: 2021-0566 Critical: Log4j Denial Of Service Threat Advisory
mageia
December 19, 2021
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations
Summary
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0
was incomplete in certain non-default configurations. This could allows
attackers with control over Thread Context Map (MDC) input data when the
logging configuration uses a non-default Pattern Layout with either a
Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map
pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI
Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0
makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by
default. Log4j 2.16.0 fixes this issue by removing support for message
lookup patterns and disabling JNDI functionality by default
(CVE-2021-45046).
References
- https://bugs.mageia.org/show_bug.cgi?id=29766
- https://www.openwall.com/lists/oss-security/2021/12/14/4
- https://github.com/advisories/GHSA-7rjr-3q55-vv33
- https://www.cve.org/CVERecord?id=CVE-2021-45046
Topics Covered
Resolution
SRPMS
- 8/core/log4j-2.16.0-1.mga8
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 19 Dec 2021
URL: https://advisories.mageia.org/MGASA-2021-0566.html
Type: security
CVE: CVE-2021-45046
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!