Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

SUSE: 2022:0355-1 Important: Elasticsearch And Kafka Security Fixes

suse
Calendar Grey February 9, 2022
Dist Suse Esm H88
Keep your SUSE systems secure and efficient by updating Elasticsearch, Kafka, and Logstash to fix critical vulnerabilities with these detailed instructions
An update that fixes four vulnerabilities is now available

Summary

This update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, venv-openstack-monasca, zookeeper, zookeeper-kit fixes the following issues: - CVE-2021-4104: Fixed remote code execution through JMS API via the ldap JNDI parser (bsc#1193662). - CVE-2022-23302: Fixed remote code execution in Log4j 1.x when application is configured to use JMSSink (bsc#1194842). - CVE-2022-23305: Fixed SQL injection in Log4j 1.x when application is configured to use JDBCAppender (bsc#1194843).

Topics%20covered

Topics Covered

security advisory remote code execution SQL injection SUSE elasticsearch kafka logstash

References

#1193662 #1194842 #1194843 #1194844

Cross- CVE-2021-4104 CVE-2022-23302 CVE-2022-23305

CVE-2022-23307

CVSS scores:

CVE-2021-4104 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-4104 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23302 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23302 (SUSE): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23305 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23305 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-23307 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:

HPE Helion Openstack 8

SUSE OpenStack Cloud 8

SUSE OpenStack Cloud Crowbar 8

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2022:0355-1
Rating: important

Topics%20covered

Topics Covered

security advisory remote code execution SQL injection SUSE elasticsearch kafka logstash

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here