Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

openSUSE Leap 15.3: 2021:4109-1 Important: logback Remote Code Execution

opensuse
Calendar Grey December 17, 2021
Dist Opensuse Esm H88
openSUSE Critical Patch for logback addresses significant vulnerabilities and flaws, along with guidelines for installation provided.
An update that fixes one vulnerability is now available

Description

This update for logback fixes the following issues:

Upgrade to version 1.2.8

+ In response to log4Shell/CVE-2021-44228, all JNDI lookup code in logback

has been disabled until further notice. This impacts ContextJNDISelector

and insertFromJNDI element in configuration files.

+ Also in response to log4Shell/CVE-2021-44228, all database (JDBC)

related code in the project has been removed with no replacement.

+ Note that the vulnerability mentioned in LOGBACK-1591 requires write

access to logback's configuration file as a prerequisite. The

log4Shell/CVE-2021-44228 and LOGBACK-1591 are of different severity

levels. A successful RCE requires all of the following conditions to be

met:

- write access to logback.xml

- use of versions lower then 1.2.8

- reloading of poisoned configuration data, which implies application

restart or scan="true" set prior to attack

Topics%20covered

Topics Covered

security advisory security update remote code execution important openSUSE logback

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.3:

zypper in -t patch openSUSE-SLE-15.3-2021-4109=1

Package List

- openSUSE Leap 15.3 (noarch):

logback-1.2.8-3.3.1

logback-access-1.2.8-3.3.1

logback-examples-1.2.8-3.3.1

logback-javadoc-1.2.8-3.3.1

References

https://www.suse.com/security/cve/CVE-2021-44228.html

https://bugzilla.suse.com/1193795

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2021:4109-1
Rating: important
Affected Products: openSUSE Leap 15.3 .

Topics%20covered

Topics Covered

security advisory security update remote code execution important openSUSE logback

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here