Bug 1193743 (CVE-2021-45046)

Summary: VUL-0: CVE-2021-45046: storm,log4j12,log4j,slf4j: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Peter Simons <peter.simons>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: meissner, peter.simons, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/317415/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-45046:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2021-12-14 21:10:24 UTC
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default 
configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging 
configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread 
Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial 
of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous 
mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT 
mitigate this specific vulnerability.

Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by 

This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: 
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).


Comment 1 Gianluca Gabrielli 2021-12-14 21:20:05 UTC
This only affect log4j2, hence:
 - SUSE:SLE-15-SP2:Update/log4j
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/log4j
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/log4j
 - openSUSE:Factory/log4j

Since we have disabled JNDI by default on all the above packages, I will consider this fixed as well.

Anyway, I will close it only after the maintainer will have added this fix to the changes files.
Comment 3 Gianluca Gabrielli 2021-12-15 07:56:09 UTC
It seems that the new assigned CVE (CVE-2021-45046) is more dangerous [0] than what was initially described. But still quite hard to exploit.

I think there are no real risks for our product to be attacked by this anytime soon, especially now that we backported "LOG4J2-3208 - Disable JNDI by default" patch [1]. There still a newer patch [2] that we may want to backport only to SUSE:SLE-15-SP2:Update/log4j (Factory has been version bumped), but IMO this can be done without the EMU.

[0] https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
[1] https://github.com/apache/logging-log4j2/commit/c362aff473e9812798ff8f25f30a2619996605d5
[2] https://github.com/apache/logging-log4j2/commit/27972043b76c9645476f561c5adc483dec6d3f5d
Comment 7 Swamp Workflow Management 2021-12-16 23:18:23 UTC
openSUSE-SU-2021:4107-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1193743
CVE References: CVE-2021-44228,CVE-2021-45046
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    disruptor-3.4.4-3.3.1, jakarta-servlet-5.0.0-5.3.1, log4j-2.16.0-4.10.1
Comment 8 Gianluca Gabrielli 2021-12-17 07:54:29 UTC
Comment 9 Swamp Workflow Management 2021-12-20 14:17:38 UTC
openSUSE-SU-2021:1601-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1193743
CVE References: CVE-2021-44228,CVE-2021-45046
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    disruptor-3.4.4-lp152.2.3.1, jakarta-servlet-5.0.0-lp152.2.1, log4j-2.16.0-lp152.3.9.1