First Last Prev Next    This bug is not in your last search results.
Bug 1193743 - (CVE-2021-45046) VUL-0: CVE-2021-45046: storm,log4j12,log4j,slf4j: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
(CVE-2021-45046)
VUL-0: CVE-2021-45046: storm,log4j12,log4j,slf4j: Apache Log4j2 Thread Contex...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Peter Simons
Security Team bot
https://smash.suse.de/issue/317415/
CVSSv3.1:SUSE:CVE-2021-45046:3.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-14 21:10 UTC by Gianluca Gabrielli
Modified: 2021-12-20 14:17 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-12-14 21:10:24 UTC 
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default 
configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging 
configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread 
Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial 
of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous 
mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT 
mitigate this specific vulnerability.

Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by 
default.  

This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: 
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

References:

https://logging.apache.org/log4j/2.x/security.html
https://www.cve.org/CVERecord?id=CVE-2021-44228
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45046
http://seclists.org/oss-sec/2021/q4/159
Comment 1 Gianluca Gabrielli 2021-12-14 21:20:05 UTC 
This only affect log4j2, hence:
 - SUSE:SLE-15-SP2:Update/log4j
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/log4j
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/log4j
 - openSUSE:Factory/log4j

Since we have disabled JNDI by default on all the above packages, I will consider this fixed as well.

Anyway, I will close it only after the maintainer will have added this fix to the changes files.
Comment 3 Gianluca Gabrielli 2021-12-15 07:56:09 UTC 
It seems that the new assigned CVE (CVE-2021-45046) is more dangerous [0] than what was initially described. But still quite hard to exploit.

I think there are no real risks for our product to be attacked by this anytime soon, especially now that we backported "LOG4J2-3208 - Disable JNDI by default" patch [1]. There still a newer patch [2] that we may want to backport only to SUSE:SLE-15-SP2:Update/log4j (Factory has been version bumped), but IMO this can be done without the EMU.

[0] https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
[1] https://github.com/apache/logging-log4j2/commit/c362aff473e9812798ff8f25f30a2619996605d5
[2] https://github.com/apache/logging-log4j2/commit/27972043b76c9645476f561c5adc483dec6d3f5d
Comment 7 Swamp Workflow Management 2021-12-16 23:18:23 UTC 
openSUSE-SU-2021:4107-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1193743
CVE References: CVE-2021-44228,CVE-2021-45046
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    disruptor-3.4.4-3.3.1, jakarta-servlet-5.0.0-5.3.1, log4j-2.16.0-4.10.1
Comment 8 Gianluca Gabrielli 2021-12-17 07:54:29 UTC 
Released
Comment 9 Swamp Workflow Management 2021-12-20 14:17:38 UTC 
openSUSE-SU-2021:1601-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1193743
CVE References: CVE-2021-44228,CVE-2021-45046
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    disruptor-3.4.4-lp152.2.3.1, jakarta-servlet-5.0.0-lp152.2.1, log4j-2.16.0-lp152.3.9.1
First Last Prev Next    This bug is not in your last search results.