Bug 2032580 (CVE-2021-45046)

Summary: CVE-2021-45046 log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, ahenning, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bdettelb, bgeorges, bibryam, bkearney, bmaxwell, bmontgom, boliveir, brian.stansberry, btotty, cdewolf, chazlett, clement.escoffier, crarobin, dahernan, dandread, darran.lofthouse, dbecker, dbhole, devrim, dkreling, dosoudil, drieden, ehelms, eleandro, eparis, etirelli, ewolinet, fadamo, fjuma, ggaughan, gmalinko, gsmet, hamadhan, hbraun, hhorak, hvyas, ibek, iweiss, janstey, java-sig-commits, jburrell, jcantril, jjoyce, jmadigan, jnethert, jochrist, jokerman, jorton, jpallich, jperkins, jrokos, jross, jschluet, jsherril, jstastny, jwon, kaycoth, krathod, kverlaen, kwills, lgao, lhh, lpeer, lthon, lzap, mbagga, mburns, mhulan, mizdebsk, mkolesni, mmccune, mnovotny, msochure, msvehla, mszynkie, myarboro, ngough, nmoumoul, nstielau, nwallace, orabin, pamccart, pantinor, paul.wouters, pcreech, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rchan, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sclewis, scohen, sd-operator-metering, sdouglas, security-response-team, sguilhen, slinaber, smaestri, snavale, sponnaga, sthorger, swoodman, tflannag, tom.jenkinson, tzimanyi, vkumar, yborgess, yozone, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: log4j 2.16.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-16 16:56:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2030985, 2030987, 2030989, 2030990, 2030991, 2031028, 2032581, 2032754, 2034754    
Bug Blocks: 2030930, 2030986    

Description Guilherme de Almeida Suckevicz 2021-12-14 18:30:02 UTC 
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability.

Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.  

This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Reference:
https://www.openwall.com/lists/oss-security/2021/12/14/4
Comment 1 Guilherme de Almeida Suckevicz 2021-12-14 18:30:35 UTC 
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2032581]
Comment 2 Przemyslaw Roguski 2021-12-14 19:32:22 UTC 
upstream advisory:
https://logging.apache.org/log4j/2.x/security.html
Comment 6 errata-xmlrpc 2021-12-15 20:09:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:5148 https://access.redhat.com/errata/RHSA-2021:5148
Comment 7 errata-xmlrpc 2021-12-16 06:13:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:5106 https://access.redhat.com/errata/RHSA-2021:5106
Comment 8 errata-xmlrpc 2021-12-16 07:50:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:5141 https://access.redhat.com/errata/RHSA-2021:5141
Comment 9 errata-xmlrpc 2021-12-16 15:00:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:5107 https://access.redhat.com/errata/RHSA-2021:5107
Comment 10 Product Security DevOps Team 2021-12-16 16:56:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-45046
Comment 12 Yadnyawalk Tale 2021-12-17 14:37:49 UTC 
Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.
Comment 13 yuk 2021-12-18 15:32:16 UTC 
And what about the fix for Red Hat JBoss Enterprise Application Platform 7 marked as affected?
Comment 24 errata-xmlrpc 2022-01-20 09:26:59 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.2
  7.9.1
  7.10.1

Via RHSA-2022:0203 https://access.redhat.com/errata/RHSA-2022:0203
Comment 25 errata-xmlrpc 2022-01-20 11:40:32 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.2.3

Via RHSA-2022:0205 https://access.redhat.com/errata/RHSA-2022:0205
Comment 26 errata-xmlrpc 2022-01-20 12:13:06 UTC 
This issue has been addressed in the following products:

  Vert.x 4.1.8

Via RHSA-2022:0083 https://access.redhat.com/errata/RHSA-2022:0083
Comment 27 errata-xmlrpc 2022-01-20 16:00:12 UTC 
This issue has been addressed in the following products:

  EAP 7.4 log4j async

Via RHSA-2022:0216 https://access.redhat.com/errata/RHSA-2022:0216
Comment 28 errata-xmlrpc 2022-01-20 18:54:36 UTC 
This issue has been addressed in the following products:

  Red Hat Integration Camel Extensions for Quarkus 2.2

Via RHSA-2022:0222 https://access.redhat.com/errata/RHSA-2022:0222
Comment 29 errata-xmlrpc 2022-01-20 18:56:55 UTC 
This issue has been addressed in the following products:

  Red Hat Integration Camel-K 1.6.3

Via RHSA-2022:0223 https://access.redhat.com/errata/RHSA-2022:0223
Comment 30 errata-xmlrpc 2022-04-11 12:56:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296
Comment 31 errata-xmlrpc 2022-04-11 12:58:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297
Comment 32 errata-xmlrpc 2022-04-11 13:00:55 UTC 
This issue has been addressed in the following products:

  EAP 7.4.4 release

Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299