Stay Vigilant with Timely Linux Security Advisories

security advisoryhigh severityFedora

Fedora 40: 2024-129d8ca6fc High Severity: Log4j Type Confusion

Change for system JDK from 17 to 21. upstream security release 122.0.6261.94 High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8 fixed bug with requires. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-129d8ca6fc 2024-03-07 22:24:39.963937 -------------------------------------------------------------------------------- Name : log4j Product : Fedora 40 Version : 2.20.0 Release : 7.fc40 URL : https://logging.apache.org/log4j/2.x/ Summary : Java logging package Description : Log4j is a tool to help the programmer output log statements to a variety of output targets. -------------------------------------------------------------------------------- Update Information: Change for system JDK from 17 to 21. upstream security release 122.0.6261.94 High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8 fixed bug with requires Automatic update for lucene-9.9.2-1.fc40. bump java source/target to 1.8, fixes 2266639 -------------------------------------------------------------------------------- ChangeLog: * Sat Mar 2 2024 Jiri Vanek - 2.20.0-7 - Rebuilt for java-21-openjdk as system jdk * Fri Mar 1 2024 Jiri Vanek - 2.20.0-6 - bump of release for for java-21-openjdk as system jdk -------------------------------------------------------------------------------- References: [ 1 ] Bug #2123726 - consoleImageViewer crashes at start https://bugzilla.redhat.com/show_bug.cgi?id=2123726 [ 2 ] Bug #2261062 - directory-maven-plugin: FTBFS in Fedora rawhide/f40 https://bugzilla.redhat.com/show_bug.cgi?id=2261062 [ 3 ] Bug #2266639 - directory-maven-plugin fails to build with java-21-openjdk https://bugzilla.redhat.com/show_bug.cgi?id=2266639 [ 4 ] Bug #2266934 - CVE-2024-1938 chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266934 [ 5 ] Bug #2266937- CVE-2024-1939 chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266937 [ 6 ] Bug #2267486 - Include Java 21 as system Java Change in Fedora 40 Beta https://bugzilla.redhat.com/show_bug.cgi?id=2267486 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-129d8ca6fc' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam, report it: . The latest update from Fedora tackles severe vulnerabilities in log4j and transitions to JDK 21, strengthening both security and performance.. Log4j Security Fix, Fedora Update, Type Confusion Fix. . LinuxSecurity.com Team

Mar 07, 2024 Fedora

security advisorygentooremote code execution

Gentoo: GLSA-202312-05 low: Arduino Remote Code Execution - Log4j Issue

A vulnerability has been found in Arduino which bundled a vulnerable version of log4j.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202312-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Arduino: Remote Code Execution Date: December 22, 2023 Bugs: #830716 ID: 202312-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been found in Arduino which bundled a vulnerable version of log4j. Background ========== Arduino is an open-source AVR electronics prototyping platform. Affected packages ================= Package Vulnerable Unaffected -------------------- ------------ ------------ dev-embedded/arduino < 1.8.19 > = 1.8.19 Description =========== A vulnerability has been discovered in Arduino. Please review the CVE identifier referenced below for details. Impact ====== Arduino bundles a vulnerable version of log4j that may lead to remote code execution. Workaround ========== There is no known workaround at this time. Resolution ========== All Arduino users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-embedded/arduino-1.8.19" References ========== [ 1 ] CVE-2021-4104 https://nvd.nist.gov/vuln/detail/CVE-2021-4104 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202312-04 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. or alternatively, you may file a bugat https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5/ . Gentoo Linux enthusiasts utilizing Arduino: critical log4j security flaws necessitate swift updates to mitigate potential threats.. Arduino Remote Execution,Gentoo GLSA 202312-04,Log4j Vulnerability,Arduino Upgrade,Security Advisory. . Severity: Medium. LinuxSecurity.com Team

Dec 22, 2023 •Medium Gentoo

Banner 2 1028x280 1708121730 1 1771599631

security advisoryhigh severitygentoo

Gentoo: GLSA-202310-16 High: Executable Log4j Code Issue in UniFi

A vulnerability has been discovered in unifi where bundled log4j can facilitate a remote code execution. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202310-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Ubiquiti UniFi: remote code execution via bundled log4j Date: October 26, 2023 Bugs: #828853 ID: 202310-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in unifi where bundled log4j can facilitate a remote code execution Background ========== Ubiquiti UniFi is a Management Controller for Ubiquiti Networks UniFi APs. Affected packages ================= Package Vulnerable Unaffected ------------------ ------------ ------------ net-wireless/unifi < 6.5.55 > = 6.5.55 Description =========== A bundled version of log4j could facilitate remote code execution. Please review the CVE identifier referenced below for details. Impact ====== An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. Workaround ========== There is no known workaround at this time. Resolution ========== All Ubiquity UniFi users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =net-wireless/unifi-6.5.55" References ========== [ 1 ] CVE-2021-4104 https://nvd.nist.gov/vuln/detail/CVE-2021-4104 [ 2 ] CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45046 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202310-16 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5/ . A critical notice concerning a remote code execution vulnerability in Ubiquiti UniFi leveraging log4j has been issued for Gentoo users. Immediate upgrade is recommended.. Ubiquiti UniFi, Remote Execution, High Severity Advisory, Gentoo Security, Log4j Risk. . LinuxSecurity.com Team

Oct 26, 2023 Gentoo

security advisorysecurity updateRed Hat

Red Hat: Important Security Advisory RHSA-2022:5053 for Log4j Socket Issue

An update for log4j is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: log4j security update Advisory ID: RHSA-2022:5053-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:5053 Issue date: 2022-06-15 CVE Names: CVE-2019-17571 ==================================================================== 1. Summary: An update for log4j is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 6 ELS) - i386, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6 ELS) - i386, s390x, x86_64 3. Description: Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es): * log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1785616 - CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer 6. Package List: Red Hat Enterprise Linux Server (v. 6ELS): Source: log4j-1.2.14-6.7.el6_10.src.rpm i386: log4j-1.2.14-6.7.el6_10.i686.rpm log4j-debuginfo-1.2.14-6.7.el6_10.i686.rpm s390x: log4j-1.2.14-6.7.el6_10.s390x.rpm log4j-debuginfo-1.2.14-6.7.el6_10.s390x.rpm x86_64: log4j-1.2.14-6.7.el6_10.x86_64.rpm log4j-debuginfo-1.2.14-6.7.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6 ELS): i386: log4j-debuginfo-1.2.14-6.7.el6_10.i686.rpm log4j-javadoc-1.2.14-6.7.el6_10.i686.rpm log4j-manual-1.2.14-6.7.el6_10.i686.rpm s390x: log4j-debuginfo-1.2.14-6.7.el6_10.s390x.rpm log4j-javadoc-1.2.14-6.7.el6_10.s390x.rpm log4j-manual-1.2.14-6.7.el6_10.s390x.rpm x86_64: log4j-debuginfo-1.2.14-6.7.el6_10.x86_64.rpm log4j-javadoc-1.2.14-6.7.el6_10.x86_64.rpm log4j-manual-1.2.14-6.7.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-17571 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYqnJeNzjgjWX9erEAQgGiQ/8DiTAwAZPNPQlrV5ItJ3I3AxT4ruBA995 bPYquIN3zX0afhrGRMWTs/aD/4vYkbUtLA5QzqYlE1dsbleGHcAbxmSfY+wE8tE7 Bg02UGNI7bru25JPZE5lSuNA8McZw/aBRcorwhSVRiBQ1GbPMQqAimbrNx98r6Qe QLupPSuNmbczUOh9X4gbPoqEeIizf8MtYbMS+LbpeIZWH7rELk3t7o63MerkAIYi yWjXzL8Xn3ylflXUzdRNIJ8QZC+nU7kgib3Ugm4TbC9F5A0w7TiAomb9qnHOP+mW 2HoGje7VZIeGX7rwtCIttW5Z9/LztkhXb/Yk1tzMM3Jo/HWgqoP8dULxian7L8aE DFlrGSbF0OQTDiYGVgGX2uW89Yi/XbX1nP7q0MtBq0D5P7z7yLKfHNyeksX+TFyV kxhUrHY8u3JLvWxWBoRzEH8TOhuoMXRIp/FkDpnnM6dDbwSyQsalGZzWnTqOHSwi sZDFnmuLQDUZQtslb4suSRgdQbu0xnvc+i38jbhoEOcH4xJGZnizRY/97wytq3Jp nBj2G0sRSMNlbcA4rr0zzTT6K/HiBhI9OWn3n76lj7jySFYrIUmPgCNhZy5dV1vx nK0c1WI+oRXn4xT4ekCYQUM/uysgWfeVLr9b2ArwaxMxvc4GiLA713gUgelejl6h 9kT6WndTNP0=VXI/ -----END PGPSIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Safeguard your Ubuntu platform by implementing the essential OpenSSL security patch to counteract severe vulnerabilities promptly.. log4j update, Red Hat security, enterprise Linux, socket issue, security advisory. . Severity: Important. LinuxSecurity.com Team

Jun 15, 2022 •Important Red Hat

security advisoryred hatsoftware update

Red Hat Fuse 7.10.1 RHSA-2022:0661-01 Critical Log4j Remote Code Execution

A minor version update (from 7.10 to 7.10.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Fuse 7.10.1 release and security update Advisory ID: RHSA-2022:0661-01 Product: Red Hat JBoss Fuse Advisory URL: https://access.redhat.com/errata/RHSA-2022:0661 Issue date: 2022-02-23 CVE Names: CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ==================================================================== 1. Summary: A minor version update (from 7.10 to 7.10.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat Fuse 7.10.1 serves as a replacement for Red Hat Fuse 7.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302) * log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305) * log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307) For more details about the security issue(s), including the impact, a CVSS score,acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Installation instructions are available from the Fuse 7.10 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/ 4. Bugs fixed (https://bugzilla.redhat.com/): 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer 5. References: https://access.redhat.com/security/cve/CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYhZdMtzjgjWX9erEAQgIEA//XnVYMHLAFtCBjFPQ/cDqZJQATTYwVuRh vz2rZ1k7kgO3ensjARLJuHWRyfxFxiXVwsr8Fzr6V6hqgsDbMMmkQwMlqw8kWvy5 cfXPKPx24fkXmErptLBWbwjLDKAAyw0rSca+ssR2u1jynk/9uELVOizbwGHkaPhL QrvF3f4AchzYDLg9lA3AhbqcmBdxpxbABhUIIs/5cI9r7igkrhZVUxglsQuR3wlP 8joIMDl+J9YuQ6uWG7cHrY5ZRaerJD/M09vUHA2IbJy6KvaWNeid5v9exOrZnP1j XDFsBlEKTs+TssdrgrQNBxmUWhxL0rP45hdOITyWWSV1eiwvxugOupPCWqiUT8bX qfeuw6zsiEDZHf8g0i72InTzdsp10FQlc8sSGWkx9LGMBW6v89El31kPHxrCpuye piG0wX1dF9fgPHTLxtOIxmWizb8i2JILQYlq4DlO51D5Ya6V/7H8V6/K/jk3hP64 GKi4YWo/1gzEEi+RuykYEUE5Ab2Pzztkvt+s47siLERA1IhqEGrBPT8o5mGDWrkC jaCe4nw1TvxAJ88CDE1048kNOGxdy/NBNQcakRNaqqGsRCd5rmRzD9+/nv7r2nvF O9Sd9JsLCpmmoF6Sko2mSne0qJdX8ISOe+xWWK9Kfa6DFaffU73PlBgPD6RuxZ3f 7sr++5C0fuM=Z5di -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Red Hat Fuse 7.10.1 resolves various security vulnerabilities, notably Log4j weaknesses that may lead to remote code execution risks.. Red Hat Fuse Security, Log4j Remote Code, Red Hat Security Update. . Severity: Critical. LinuxSecurity.com Team

Feb 23, 2022 •Critical Red Hat

security advisoryRed Hatremote code execution

Red Hat Enterprise Linux: RHSA-2022-0442-01 Important: log4j RCE Risks

An update for log4j is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.6 Advanced Update Support, Red. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: log4j security update Advisory ID: RHSA-2022:0442-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:0442 Issue date: 2022-02-07 CVE Names: CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ==================================================================== 1. Summary: An update for log4j is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 6 ELS) - i386, s390x, x86_64 Red Hat Enterprise LinuxServer (v. 7) - noarch Red Hat Enterprise Linux Server AUS (v. 7.3) - noarch Red Hat Enterprise Linux Server AUS (v. 7.4) - noarch Red Hat Enterprise Linux Server AUS (v. 7.6) - noarch Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch Red Hat Enterprise Linux Server E4S (v. 7.6) - noarch Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch Red Hat Enterprise Linux Server Optional (v. 6 ELS) - i386, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Server Optional AUS (v. 7.3) - noarch Red Hat Enterprise Linux Server Optional AUS (v. 7.4) - noarch Red Hat Enterprise Linux Server Optional AUS (v. 7.6) - noarch Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - noarch Red Hat Enterprise Linux Server Optional E4S (v. 7.6) - noarch Red Hat Enterprise Linux Server Optional TUS (v. 7.6) - noarch Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - noarch Red Hat Enterprise Linux Server TUS (v. 7.6) - noarch Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch 3. Description: Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es): * log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305) * log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when applicationis configured to use JMSSink 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer 6. Package List: Red Hat Enterprise Linux Server (v. 6 ELS): Source: log4j-1.2.14-6.6.el6_10.src.rpm i386: log4j-1.2.14-6.6.el6_10.i686.rpm log4j-debuginfo-1.2.14-6.6.el6_10.i686.rpm s390x: log4j-1.2.14-6.6.el6_10.s390x.rpm log4j-debuginfo-1.2.14-6.6.el6_10.s390x.rpm x86_64: log4j-1.2.14-6.6.el6_10.x86_64.rpm log4j-debuginfo-1.2.14-6.6.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6 ELS): i386: log4j-debuginfo-1.2.14-6.6.el6_10.i686.rpm log4j-javadoc-1.2.14-6.6.el6_10.i686.rpm log4j-manual-1.2.14-6.6.el6_10.i686.rpm s390x: log4j-debuginfo-1.2.14-6.6.el6_10.s390x.rpm log4j-javadoc-1.2.14-6.6.el6_10.s390x.rpm log4j-manual-1.2.14-6.6.el6_10.s390x.rpm x86_64: log4j-debuginfo-1.2.14-6.6.el6_10.x86_64.rpm log4j-javadoc-1.2.14-6.6.el6_10.x86_64.rpm log4j-manual-1.2.14-6.6.el6_10.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: log4j-1.2.17-18.el7_4.src.rpm noarch: log4j-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: log4j-1.2.17-18.el7_4.src.rpm noarch: log4j-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server AUS (v. 7.3): Source: log4j-1.2.17-17.el7_3.src.rpm noarch: log4j-1.2.17-17.el7_3.noarch.rpm Red Hat Enterprise Linux Server AUS (v. 7.4): Source: log4j-1.2.17-18.el7_4.src.rpm noarch: log4j-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server AUS (v. 7.6): Source: log4j-1.2.17-18.el7_4.src.rpm noarch: log4j-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server E4S (v.7.6): Source: log4j-1.2.17-18.el7_4.src.rpm noarch: log4j-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server TUS (v. 7.6): Source: log4j-1.2.17-18.el7_4.src.rpm noarch: log4j-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server AUS (v. 7.7): Source: log4j-1.2.17-18.el7_4.src.rpm noarch: log4j-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server E4S (v. 7.7): Source: log4j-1.2.17-18.el7_4.src.rpm noarch: log4j-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server TUS (v. 7.7): Source: log4j-1.2.17-18.el7_4.src.rpm noarch: log4j-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: log4j-1.2.17-18.el7_4.src.rpm noarch: log4j-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.3): noarch: log4j-javadoc-1.2.17-17.el7_3.noarch.rpm log4j-manual-1.2.17-17.el7_3.noarch.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.4): noarch: log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.6): noarch: log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server Optional E4S (v. 7.6): noarch: log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server Optional TUS (v. 7.6): noarch: log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.7): noarch: log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server Optional E4S (v. 7.6): noarch: log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server Optional TUS (v. 7.7): noarch: log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm Red HatEnterprise Linux Workstation (v. 7): Source: log4j-1.2.17-18.el7_4.src.rpm noarch: log4j-1.2.17-18.el7_4.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYgIB3NzjgjWX9erEAQjSGA//fa5ZGrr5rzfdILA3WRuVfpCcbwgPfUo1 MU4Xj6RZP7vVTQKLJPJJXXO+weVJO5MQobXxvqoVjUGp5IXFoIztKiFeVVCdzUQQ 7W3g9sr9G+3r819/sWinkcMztgkci9H21HIUfifEKYKvtZtVYW6U9HPq4EugOjyr AegJ3yR+wLrp8n/uUgLoCvEPCQ5Mwt/uU0OYD7Vjq/zKuBk2geCCP0s93hD1sk6w P6imdD5HX8WHnvdr/fbDOvF14Hl9sH5iPalRlr5XkajMFYB9fkNp1xoYq6waO4KW anLE24zS8AE26yt/JohuNwk1H6UEli9fci+FlFEVp3IMWxig01+EHTwDkABk3Nwk grIsDMtJZqfO/meTKIKE4i9CVrJZ5sL+Z11p64QfLrB+a6h1XzVG+9AKUfkKVYKA tywev7hz8G69uAY4AasNbLSWgkAZHh/iIRXi7kE5ESFjI17aAtM6Flm5X4Tzh5FH 7LZXP11chYMXYlLy1fhbNksCUVYD9LEGNf5glB1WLFt+bE0CJZ5R0fUrO9rrXxdS 1GheWpCgbuExpSf0+qRdOjXBc20NbK9E+aZm4a8T/Kygp5NeJZ8I9dz3B6fh16dZ 1wzOwNvfxakW7T9zbI2Imp8/u0nNUYU+BW5pIE9cOQLCkkpIVTiOZf7AUZPBrps+ 749rCc+X7Dc=p6s5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Important log4j security enhancement notice for Red Hat Enterprise Linux that mitigates SQL injection vulnerabilities and counters risks of unauthorized remote execution.. log4j Security Update, Red Hat Advisory, Important Security Patch, Linux Security Fix, Open Source Vulnerability. . Severity: Important. LinuxSecurity.com Team

Feb 08, 2022 •Important Red Hat

security advisorymoderatesecurity update

Red Hat: RHSA-2022-0449 Moderate: Log4j Remote Code Execution Threats

A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Single Sign-On 7.5.1 security update Advisory ID: RHSA-2022:0449-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2022:0449 Issue date: 2022-02-07 CVE Names: CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ==================================================================== 1. Summary: A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.5.1 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305) * log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink(CVE-2022-23302) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer 5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): CIAM-2054 - [log4j 1.x] One-off patch for RH-SSO 7.5.1 ZIP distribution 6. References: https://access.redhat.com/security/cve/CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.5 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYgIBcdzjgjWX9erEAQj1Tw/+O0XV6L+JHOhMB4a9y41Xb4+FpY1iBxSN 7Pq8wZhbDhlHAh+cWQRQcsR+L5SbJuUEizZ4Qmh9CsMKbBEpoMkr8nAGt9+l+D2x 4StQ1J8+Iunffd7oSyFhU9hMHmZu/s7hjBDyh7loA7DzNEWDJg6siFdw4Ye3PbYr ikoj0Hvs9HnPWlRGVEj44HPkxC06WuNpqdy5JA2v+OeBqX+XY8zwb1KnbHw36hxE zOH8PH2jBKE9Z1Nai3A3BGBJf6FFWWVSAvwsV4rdRsfC6NENJ80r8rmcmERF0p4q sBZH7Pll6Ma18jwZC4j1RSstmxCZmP0kOGOWwkpFX+GWyxPRe3rVB6/YP7Rw9tFT YnXNZCiQzj3vishlOBVJ7z+9DCcxLoRA2FTkVvINGK13jp7wVL5nKIT0v/hVmikc 1K9wZjKY4UsUBkk20C5hw+idUvJprFbcm3px2OSaqFSs/YMbDJke7EwuY9QkXA5q PGj9fDps7dP84niYov0LGy4CHidC7ah5lpTIqZqW8r2/6OKaaakMGFJZpHZO5Tqu gSHkp9zg0ojFlQpXG0RZhyhlxcJGb9i6KEtL3k0K5g9KSvuJz3ECyBtetRmyOb4x 6rEaOFocHAeWpq3xnUoSckl0dnjn4DkZhtP592Q5R7V4FgoZJPxPT5R0U3gyNn9D AwM1HMaSO04=NayV -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Important security patch released for Red Hat Single Sign-On 7.5.1 which resolves urgent log4j vulnerabilities. Find out more.. Red Hat Single Sign-On, Security Update, Log4j Issues, Remote Code Execution, SQL Injection. . LinuxSecurity.com Team

Feb 08, 2022 Red Hat

security advisoryremote code executionSQL injection

Oracle Linux 7 ELSA-2022-0442: Important Log4j Security Update

The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2022-0442 https://linux.oracle.com/errata/ELSA-2022-0442.html The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network: x86_64: log4j-1.2.17-18.el7_4.noarch.rpm log4j-javadoc-1.2.17-18.el7_4.noarch.rpm log4j-manual-1.2.17-18.el7_4.noarch.rpm SRPMS: https://oss.oracle.com:443/ol7/SRPMS-updates/log4j-1.2.17-18.el7_4.src.rpm Related CVEs: CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 Description of changes: [0:1.2.17-18] - Fix Unsafe deserialization flaw in Chainsaw log viewer - Fix SQL injection when application is configured to use JDBCAppender - Fix remote code execution when application is configured to use JMSSink - Resolves: CVE-2022-23307, CVE-2022-23305, CVE-2022-23302 _______________________________________________ El-errata mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://oss.oracle.com/mailman/listinfo/el-errata . Oracle Linux 7 has been updated with a vital log4j security patch that resolves serious vulnerabilities. Discover further details about the enhancements here.. Oracle Linux, Log4j Update, Security Advisory, Remote Code Execution, SQL Injection. . Severity: Important. LinuxSecurity.com Team

Feb 07, 2022 •Important Oracle

Community Poll

More Polls

Stay Secure with the Latest Linux Advisories

Fedora 43 hplip Major Update Addressing Possible Arbitrary Code Execution

Oracle Linux 8 Important Kernel Security Advisory ELSA-2026-21706

Oracle Linux 8 httpd Important Denial of Service Vuln ELSA-2026-22140

Oracle Linux 8 ELSA-2026-22315 compat-openssl10 Moderate DoS Fix

Oracle Linux 8 gnutls Important Buffer Overflow Auth Bypass ELSA-2026-20611

Ubuntu 20.04 LTS nginx Security Advisory for Critical DoS Vulnerabilities

Ubuntu 20.04 LTS MySQL Important Security Issues USN-8363-2

Ubuntu 20.04 LTS GStreamer Base Significant DoS Attack Vulnerability Alert

Ubuntu 26.04 LTS python-pip Moderate DoS Regression Fix USN-8344-3

Refine advisories

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Ubuntu 25.10 kmod Critical Algif_aead Privilege Escalation USN-8226-1

Ubuntu 26.04 LTS nginx Critical Denial of Service 2026-42945

Ubuntu 26.04 Docker Critical Security Threats USN-8230-1 CVE-2026-33747

Debian OpenSSH Critical DSA-6204-1 CVE-2026-3497 Remote DoS Execution

Explore Latest Linux Security advisories

Fedora 40: 2024-129d8ca6fc High Severity: Log4j Type Confusion

Gentoo: GLSA-202312-05 low: Arduino Remote Code Execution - Log4j Issue

Gentoo: GLSA-202310-16 High: Executable Log4j Code Issue in UniFi

Red Hat: Important Security Advisory RHSA-2022:5053 for Log4j Socket Issue

Red Hat Fuse 7.10.1 RHSA-2022:0661-01 Critical Log4j Remote Code Execution

Red Hat Enterprise Linux: RHSA-2022-0442-01 Important: log4j RCE Risks

Red Hat: RHSA-2022-0449 Moderate: Log4j Remote Code Execution Threats

Oracle Linux 7 ELSA-2022-0442: Important Log4j Security Update

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Ubuntu 25.10 kmod Critical Algif_aead Privilege Escalation USN-8226-1

Ubuntu 26.04 LTS nginx Critical Denial of Service 2026-42945

Ubuntu 26.04 Docker Critical Security Threats USN-8230-1 CVE-2026-33747

Debian OpenSSH Critical DSA-6204-1 CVE-2026-3497 Remote DoS Execution

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Stay Secure with the Latest Linux Advisories

Fedora 43 hplip Major Update Addressing Possible Arbitrary Code Execution

Oracle Linux 8 Important Kernel Security Advisory ELSA-2026-21706

Oracle Linux 8 httpd Important Denial of Service Vuln ELSA-2026-22140

Oracle Linux 8 ELSA-2026-22315 compat-openssl10 Moderate DoS Fix

Oracle Linux 8 gnutls Important Buffer Overflow Auth Bypass ELSA-2026-20611

Ubuntu 20.04 LTS nginx Security Advisory for Critical DoS Vulnerabilities

Ubuntu 20.04 LTS MySQL Important Security Issues USN-8363-2

Ubuntu 20.04 LTS GStreamer Base Significant DoS Attack Vulnerability Alert

Ubuntu 26.04 LTS python-pip Moderate DoS Regression Fix USN-8344-3

Refine advisories

severity

Topics

Distro

Published Date

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Explore Latest Linux Security advisories

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Search Topics

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!