Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

SUSE OpenStack Cloud 9: 2022:0354-1 Critical Remote Code Execution Threat

suse
Calendar Grey February 9, 2022
Dist Suse Esm H88
SUSE enhances its offerings for elasticsearch and kafka, addressing major concerns such as remote command execution and SQL injection flaws.
An update that fixes four vulnerabilities is now available

Summary

This update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, storm, storm-kit, venv-openstack-monasca, zookeeper, zookeeper-kit fixes the following issues: - CVE-2021-4104: Fixed remote code execution through JMS API via the ldap JNDI parser (bsc#1193662). - CVE-2022-23302: Fixed remote code execution in Log4j 1.x when application is configured to use JMSSink (bsc#1194842). - CVE-2022-23305: Fixed SQL injection in Log4j 1.x when application is configured to use JDBCAppender (bsc#1194843). - CVE-2022-23307: Fixed deserialization flaw in the Chainsaw component of

Topics%20covered

Topics Covered

security advisory critical remote execution SQL injection SUSE Elasticsearch Kafka

References

#1193662 #1194842 #1194843 #1194844

Cross- CVE-2021-4104 CVE-2022-23302 CVE-2022-23305

CVE-2022-23307

CVSS scores:

CVE-2021-4104 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-4104 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23302 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23302 (SUSE): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23305 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23305 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23307 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

SUSE OpenStack Cloud 9

SUSE OpenStack Cloud Crowbar 9

https://www.suse.com/security/cve/CVE-2021-4104.html

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2022:0354-1
Rating: important

Topics%20covered

Topics Covered

security advisory critical remote execution SQL injection SUSE Elasticsearch Kafka

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here