Bug 1193743 (CVE-2021-45046)

Summary: VUL-0: CVE-2021-45046: storm,log4j12,log4j,slf4j: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Peter Simons <peter.simons>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: meissner, peter.simons, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/317415/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-45046:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2021-12-14 21:10:24 UTC
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default 
configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging 
configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread 
Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial 
of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous 
mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT 
mitigate this specific vulnerability.

Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by 
default.  

This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: 
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

References:

https://logging.apache.org/log4j/2.x/security.html
https://www.cve.org/CVERecord?id=CVE-2021-44228
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45046
http://seclists.org/oss-sec/2021/q4/159
Comment 1 Gianluca Gabrielli 2021-12-14 21:20:05 UTC
This only affect log4j2, hence:
 - SUSE:SLE-15-SP2:Update/log4j
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/log4j
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/log4j
 - openSUSE:Factory/log4j

Since we have disabled JNDI by default on all the above packages, I will consider this fixed as well.

Anyway, I will close it only after the maintainer will have added this fix to the changes files.
Comment 3 Gianluca Gabrielli 2021-12-15 07:56:09 UTC
It seems that the new assigned CVE (CVE-2021-45046) is more dangerous [0] than what was initially described. But still quite hard to exploit.

I think there are no real risks for our product to be attacked by this anytime soon, especially now that we backported "LOG4J2-3208 - Disable JNDI by default" patch [1]. There still a newer patch [2] that we may want to backport only to SUSE:SLE-15-SP2:Update/log4j (Factory has been version bumped), but IMO this can be done without the EMU.

[0] https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
[1] https://github.com/apache/logging-log4j2/commit/c362aff473e9812798ff8f25f30a2619996605d5
[2] https://github.com/apache/logging-log4j2/commit/27972043b76c9645476f561c5adc483dec6d3f5d
Comment 7 Swamp Workflow Management 2021-12-16 23:18:23 UTC
openSUSE-SU-2021:4107-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1193743
CVE References: CVE-2021-44228,CVE-2021-45046
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    disruptor-3.4.4-3.3.1, jakarta-servlet-5.0.0-5.3.1, log4j-2.16.0-4.10.1
Comment 8 Gianluca Gabrielli 2021-12-17 07:54:29 UTC
Released
Comment 9 Swamp Workflow Management 2021-12-20 14:17:38 UTC
openSUSE-SU-2021:1601-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1193743
CVE References: CVE-2021-44228,CVE-2021-45046
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    disruptor-3.4.4-lp152.2.3.1, jakarta-servlet-5.0.0-lp152.2.1, log4j-2.16.0-lp152.3.9.1