Happy Friday fellow Linux geeks! This week, important updates have been issued for log4j, singularity and Apache HTTP Server. and Read on to learn about these vulnerabilities and how to secure your system against them. 

Now you can personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select, making it easier than ever to keep your system up-to-date and secure.

Have a question about or comment on one of the vulnerabilities highlighted in today's newsletter? Let's discuss!

Yours in Open Source,

Brittany Signature 150 Esm W150

log4j

The Discovery 

It was discovered that Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to RCE when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server (CVE-2021-44832).

ApacheLog4J Esm W400

The Impact

Exploitation of this flaw could result in remote code execution (RCE) attacks via JDBC Appender (when an attacker controls config).

The Fix

A security update has been released for log4j that fixes this issue. Update to log4j-2.17.1 as soon as possible!

Your Related Advisories:

[distro_list_1]

singularity

The Discovery 

Three security vulnerabilities (CVE-2021-29136, CVE-2021-32635 and CVE-2021-41190) have been found in the singularity container platform.
Singularity Esm W223

The Impact

These bugs could allow an attacker to modify host files or execute malicious containers.

The Fix

Updated singularity packages fix these dangerous flaws. Update now!

Your Related Advisories:

[distro_list_2]

Apache HTTP Server

The Discovery

It was discovered that the Apache HTTP Server incorrectly handled certain forward proxy requests (CVE-2021-44224), and that the Apache HTTP Server Lua module incorrectly handled memory in the multipart parser (CVE-2021-44790). 

The ImpactApache2 Esm W400

A remote attacker could exploit these issues to cause the server to crash, resulting in a denial of service (DoS), or possibly perform a Server Side Request Forgery attack or execute arbitrary code.

The Fix

Apache has released updated package versions that correct these issues. Update immediately to protect the security, integrity and availability of your systems!

Your Related Advisories:

[distro_list_3]