Bug 1193743 - (CVE-2021-45046) VUL-0: CVE-2021-45046: storm,log4j12,log4j,slf4j: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
VUL-0: CVE-2021-45046: storm,log4j12,log4j,slf4j: Apache Log4j2 Thread Contex...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Peter Simons
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-12-14 21:10 UTC by Gianluca Gabrielli
Modified: 2021-12-20 14:17 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-12-14 21:10:24 UTC
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default 
configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging 
configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread 
Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial 
of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous 
mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT 
mitigate this specific vulnerability.

Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by 

This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: 
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).


Comment 1 Gianluca Gabrielli 2021-12-14 21:20:05 UTC
This only affect log4j2, hence:
 - SUSE:SLE-15-SP2:Update/log4j
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/log4j
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/log4j
 - openSUSE:Factory/log4j

Since we have disabled JNDI by default on all the above packages, I will consider this fixed as well.

Anyway, I will close it only after the maintainer will have added this fix to the changes files.
Comment 3 Gianluca Gabrielli 2021-12-15 07:56:09 UTC
It seems that the new assigned CVE (CVE-2021-45046) is more dangerous [0] than what was initially described. But still quite hard to exploit.

I think there are no real risks for our product to be attacked by this anytime soon, especially now that we backported "LOG4J2-3208 - Disable JNDI by default" patch [1]. There still a newer patch [2] that we may want to backport only to SUSE:SLE-15-SP2:Update/log4j (Factory has been version bumped), but IMO this can be done without the EMU.

[0] https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
[1] https://github.com/apache/logging-log4j2/commit/c362aff473e9812798ff8f25f30a2619996605d5
[2] https://github.com/apache/logging-log4j2/commit/27972043b76c9645476f561c5adc483dec6d3f5d
Comment 7 Swamp Workflow Management 2021-12-16 23:18:23 UTC
openSUSE-SU-2021:4107-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1193743
CVE References: CVE-2021-44228,CVE-2021-45046
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    disruptor-3.4.4-3.3.1, jakarta-servlet-5.0.0-5.3.1, log4j-2.16.0-4.10.1
Comment 8 Gianluca Gabrielli 2021-12-17 07:54:29 UTC
Comment 9 Swamp Workflow Management 2021-12-20 14:17:38 UTC
openSUSE-SU-2021:1601-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1193743
CVE References: CVE-2021-44228,CVE-2021-45046
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    disruptor-3.4.4-lp152.2.3.1, jakarta-servlet-5.0.0-lp152.2.1, log4j-2.16.0-lp152.3.9.1