Bug 2030932 (CVE-2021-44228) - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value [NEEDINFO]
Summary: CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs conta...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-44228
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2060792 2030945 2030985 2030986 2030987 2030988 2030989 2030990 2030991 2031028 2031102 2031171 2032008 2032598
Blocks: 2030930
TreeView+ depends on / blocked
 
Reported: 2021-12-10 02:02 UTC by Wade Mealing
Modified: 2022-06-08 08:22 UTC (History)
209 users (show)

Fixed In Version: log4j 2.15.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.
Clone Of:
Environment:
Last Closed: 2021-12-16 16:56:12 UTC
mbenatto: needinfo? (rludva)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:5093 0 None None None 2021-12-14 16:01:46 UTC
Red Hat Product Errata RHSA-2021:5094 0 None None None 2021-12-14 05:51:13 UTC
Red Hat Product Errata RHSA-2021:5106 0 None None None 2021-12-16 06:13:43 UTC
Red Hat Product Errata RHSA-2021:5107 0 None None None 2021-12-16 15:00:35 UTC
Red Hat Product Errata RHSA-2021:5108 0 None None None 2021-12-14 15:10:37 UTC
Red Hat Product Errata RHSA-2021:5126 0 None None None 2021-12-14 16:19:43 UTC
Red Hat Product Errata RHSA-2021:5127 0 None None None 2021-12-14 18:40:53 UTC
Red Hat Product Errata RHSA-2021:5128 0 None None None 2021-12-14 18:11:10 UTC
Red Hat Product Errata RHSA-2021:5129 0 None None None 2021-12-14 17:08:12 UTC
Red Hat Product Errata RHSA-2021:5130 0 None None None 2021-12-14 17:55:53 UTC
Red Hat Product Errata RHSA-2021:5132 0 None None None 2021-12-14 20:04:20 UTC
Red Hat Product Errata RHSA-2021:5133 0 None None None 2021-12-14 21:13:40 UTC
Red Hat Product Errata RHSA-2021:5134 0 None None None 2021-12-14 21:36:18 UTC
Red Hat Product Errata RHSA-2021:5137 0 None None None 2021-12-14 21:37:42 UTC
Red Hat Product Errata RHSA-2021:5138 0 None None None 2021-12-14 21:49:13 UTC
Red Hat Product Errata RHSA-2021:5140 0 None None None 2021-12-15 03:00:13 UTC
Red Hat Product Errata RHSA-2021:5141 0 None None None 2021-12-16 07:50:18 UTC
Red Hat Product Errata RHSA-2021:5148 0 None None None 2021-12-15 20:09:48 UTC
Red Hat Product Errata RHSA-2022:0082 0 None None None 2022-01-11 17:57:04 UTC
Red Hat Product Errata RHSA-2022:0203 0 None None None 2022-01-20 09:27:05 UTC
Red Hat Product Errata RHSA-2022:0296 0 None None None 2022-01-26 15:54:39 UTC

Description Wade Mealing 2021-12-10 02:02:31 UTC
A flaw was found in the  Java logging library log4j which could allow a remote attacker to execute code on the server if the system logs an attacker controlled string value.   This affects versions between 2.0 <=  and <= 2.14.1.

Comment 1 Huzaifa S. Sidhpurwala 2021-12-10 03:25:14 UTC
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2030945]

Comment 2 Huzaifa S. Sidhpurwala 2021-12-10 06:13:10 UTC
Upstream patch: https://github.com/apache/logging-log4j2/pull/608/commits
Pull request: https://github.com/apache/logging-log4j2/pull/608

Comment 27 Anand Paladugu 2021-12-10 15:55:37 UTC
Another case was opened for this issue. 03100953  I will link it soon

Comment 29 Anand Paladugu 2021-12-10 16:15:31 UTC
@pjindal@redhat.com 

So products outside of OpenShift are also impacted. Any thoughts on what guidance we can provide to customers in the interim.  Are there any workarounds before the fixes arive ?

Thanks

Anand

Comment 31 Anand Paladugu 2021-12-10 16:35:23 UTC
Team

Can we provide answers to these questions in addition to my ask about workaround and fix timeline above.

- How can we determine which OpenShift versions or clusters are affected and which components in OpenShift are effected
- How is the vulnerability exploited? 

There are 3 Openshift cases so far today, and we need to provide some answers atleast to customers so we dont keep them in dark until the fixes arrive.

Comment 32 Anand Paladugu 2021-12-10 16:35:48 UTC
Team

Can we provide answers to these questions in addition to my ask about workaround and fix timeline above.

- How can we determine which OpenShift versions or clusters are affected and which components in OpenShift are effected
- How is the vulnerability exploited? 

There are 3 Openshift cases so far today, and we need to provide some answers atleast to customers so we dont keep them in dark until the fixes arrive.

Comment 41 Anand Paladugu 2021-12-10 22:22:21 UTC
Hello

several customers are asking for versions of components that are impacted (with in openshift 4 and 3) and also how work around documented in the CVE page (java system variable) can be implemented.

Please advise.

Thx

Comment 42 Mike Murphy 2021-12-10 22:39:13 UTC
We have a couple customers over here with Confirmed Stateside support asking for a fix to this. 1 customer concerned with Satellite and the other concerned about this with EAP 7.3.8

Comment 48 Sam Fowler 2021-12-12 00:38:09 UTC
In reply to comment #32:
> - How can we determine which OpenShift versions or clusters are affected and
> which components in OpenShift are effected

The CVE page lists the affected OpenShift components, which includes the following container images:

openshift-logging/elasticsearch6-rhel8
openshift4/ose-logging-elasticsearch6
openshift4/ose-metering-presto
openshift4/ose-metering-hive 
openshift3/ose-logging-elasticsearch5

These are part of the optional Logging and Metering add-ons:

https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-deploying.html
https://docs.openshift.com/container-platform/4.8/metering/metering-installing-metering.html

All currently supported versions of OpenShift (3.11, 4.6+) that are using either of these add-ons are affected.

Comment 50 Sergio Basto 2021-12-12 02:40:57 UTC
Affected Apache log4j2 Versions​ 2.0 <= Apache log4j <= 2.14.1  i.e. the new version of log4j-2.15.0 fix it

Comment 55 Selim Jahangir 2021-12-13 01:50:44 UTC
Hi
I have got a customer, who wanted to know,  is there any impact of this vulnerability  (CVE-2021-44228) on following products:
Quay 3.4.6 and Clair3.4.6 ?

Regards
Selim

Comment 56 Al 2021-12-13 02:41:31 UTC
Is setting the LOG4J_FORMAT_MSG_NO_LOOKUPS env variable in OpenShift (f.e. through oc set env), instead of specifying the log4j2.formatMsgNoLookups system property, a valid mitigation for log4j2 2.10+?

Comment 58 Sam Fowler 2021-12-13 05:49:39 UTC
(In reply to Al from comment #56)
> Is setting the LOG4J_FORMAT_MSG_NO_LOOKUPS env variable in OpenShift (f.e.
> through oc set env), instead of specifying the log4j2.formatMsgNoLookups
> system property, a valid mitigation for log4j2 2.10+?

Yes, this is the advised method for OpenShift linked in this article from the Mitigation section on our CVE page:

https://access.redhat.com/solutions/6578421

Comment 59 Brendan Shephard 2021-12-13 06:29:15 UTC
For RHOSP13, the impacted component is Opendaylight, to verify if you are using Opendaylight in your deployment, you can use the command below to check:

$ openstack stack environment show overcloud | egrep "OS::TripleO::Services::OpenDaylightApi:|OS::TripleO::Services::OpenDaylightOvs:"
  OS::TripleO::Services::OpenDaylightApi: OS::Heat::None
  OS::TripleO::Services::OpenDaylightOvs: OS::Heat::None

If these return as OS::Heat::None like in the example above, you are not using OpenDayLight and therefore not impacted by this CVE.

More information about Opendaylight can be found here:
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/red_hat_opendaylight_product_guide/introducing_opendaylight
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/red_hat_opendaylight_installation_and_configuration_guide/index

Note that this is NOT the default in RHOSP13, by default this service is not enabled and used, you would need to explicitly enable it using the steps documented in the links above.

Comment 60 Stoyan Nikolov 2021-12-13 07:35:07 UTC
In reply to comment #55:
> Hi
> I have got a customer, who wanted to know,  is there any impact of this
> vulnerability  (CVE-2021-44228) on following products:
> Quay 3.4.6 and Clair3.4.6 ?
> 
> Regards
> Selim

Quay and Clair are not affected. Quay uses log4js, which is close name-wise but is not related to the log4j project.

Comment 67 Stoyan Nikolov 2021-12-13 12:21:10 UTC
Red Hat Virtualization ships rhvm-appliance which includes a vulnerable version of log4j released by Red Hat EAP. Once EAP releases a fixed version of the package Red Hat Virtualization users can consume the fix with a regular update via the package manager inside the rhvm-appliance.

Comment 68 Yadnyawalk Tale 2021-12-13 12:23:18 UTC
Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it use logback framework for logging (instead of log4j-core).

Comment 69 Jonathan Christison 2021-12-13 13:44:34 UTC
Marking Red Hat Build of Quarkus as not affected, the product neither ships nor uses log4j 2.x and instead relies on Jboss Logging, furthermore log4j is excluded from the quarkus BOM.

Comment 76 Jonathan Christison 2021-12-13 16:06:27 UTC
Marking Red Hat AMQ Broker 7 as not being not affected by this flaw, the product neither ships nor uses log4j 2.x

Comment 77 Paramvir jindal 2021-12-13 16:22:57 UTC
Marking Red Hat Decision Manager (RHDM) 7 as not being not affected by this flaw, the product neither ships nor uses log4j 2.x.

Comment 79 Chess Hazlett 2021-12-13 20:34:05 UTC
Marking Red Hat EAP-XP 3 as not affected; the product does not directly ship log4j, but consumes artifacts from base EAP.

Comment 83 Huzaifa S. Sidhpurwala 2021-12-14 03:14:30 UTC
Large customer ticket volume for fixes in rhel-6/7, i created a tracker for both, let engg take a decision and not us.

Comment 84 errata-xmlrpc 2021-12-14 05:51:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:5094 https://access.redhat.com/errata/RHSA-2021:5094

Comment 86 errata-xmlrpc 2021-12-14 15:10:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:5108 https://access.redhat.com/errata/RHSA-2021:5108

Comment 87 errata-xmlrpc 2021-12-14 16:01:37 UTC
This issue has been addressed in the following products:

  Vert.x 4.1.5 SP1

Via RHSA-2021:5093 https://access.redhat.com/errata/RHSA-2021:5093

Comment 88 errata-xmlrpc 2021-12-14 16:19:34 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:5126 https://access.redhat.com/errata/RHSA-2021:5126

Comment 89 Mike Murphy 2021-12-14 16:36:44 UTC
Are we still waiting on a release for  EAP 7.3.8 ?

Comment 90 errata-xmlrpc 2021-12-14 17:08:06 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2021:5129 https://access.redhat.com/errata/RHSA-2021:5129

Comment 91 errata-xmlrpc 2021-12-14 17:55:47 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:5130 https://access.redhat.com/errata/RHSA-2021:5130

Comment 92 errata-xmlrpc 2021-12-14 18:11:04 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.1

Via RHSA-2021:5128 https://access.redhat.com/errata/RHSA-2021:5128

Comment 93 errata-xmlrpc 2021-12-14 18:40:45 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.2

Via RHSA-2021:5127 https://access.redhat.com/errata/RHSA-2021:5127

Comment 95 errata-xmlrpc 2021-12-14 20:04:12 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 8.2.2

Via RHSA-2021:5132 https://access.redhat.com/errata/RHSA-2021:5132

Comment 96 errata-xmlrpc 2021-12-14 21:13:31 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Streams 1.6.5

Via RHSA-2021:5133 https://access.redhat.com/errata/RHSA-2021:5133

Comment 97 errata-xmlrpc 2021-12-14 21:36:10 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134

Comment 98 errata-xmlrpc 2021-12-14 21:37:31 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.0

Via RHSA-2021:5137 https://access.redhat.com/errata/RHSA-2021:5137

Comment 99 errata-xmlrpc 2021-12-14 21:49:04 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Streams 1.8.4

Via RHSA-2021:5138 https://access.redhat.com/errata/RHSA-2021:5138

Comment 100 errata-xmlrpc 2021-12-15 03:00:05 UTC
This issue has been addressed in the following products:

  EAP 7.4 log4j async

Via RHSA-2021:5140 https://access.redhat.com/errata/RHSA-2021:5140

Comment 101 Bing 2021-12-15 19:59:42 UTC
Is Red Hat working on a fix for Red Hat OpenShift Contains Platform 4.9? When can that be released?

Comment 102 errata-xmlrpc 2021-12-15 20:09:41 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:5148 https://access.redhat.com/errata/RHSA-2021:5148

Comment 103 errata-xmlrpc 2021-12-16 06:13:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:5106 https://access.redhat.com/errata/RHSA-2021:5106

Comment 104 errata-xmlrpc 2021-12-16 07:50:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:5141 https://access.redhat.com/errata/RHSA-2021:5141

Comment 105 errata-xmlrpc 2021-12-16 15:00:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:5107 https://access.redhat.com/errata/RHSA-2021:5107

Comment 106 Product Security DevOps Team 2021-12-16 16:56:02 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-44228

Comment 108 Mithilesh Kaur Bagga 2021-12-21 16:52:31 UTC
Hello Team,

There are multiple queries are coming from the CU, Can you please guide me for the same?

1. CU is having a cluster with 4.8.17 and using openshift-logging, so he needs to update the entire cluster with 4.8.24 or only openshift-logging? Can you please guide the channel from where he can get updates for 4.8.24? 

2. As we know that our core component has an insight operator which is used by telemetry. In that case, does only the logging operator needs to update, or is entire cluster upgrades required?

Question 1: Is this really a mandatory requirement to upgrade the cluster to 4.8.24?

Question 2: If yes, where is this documented. (Remark: If Verbund has to upgrade during system lock-down, they need to have formal proof from the vendor that this is a mandatory requirement!)

 Logging has been upgraded to 5.2.4-17 on the 14th Dec. 

Question 3: Please confirm that if openshift-logging operator upgrade is a sufficient upgrade to fix the log4j-issue?

Question 4: ACS still shows vulnerabilities on logging. Why?


   - What documentation has these details listed about the fixes? as our RHSA documentation [0]:  https://access.redhat.com/errata/RHSA-2021:5127
     say the SA is for 5.2.4, but does not specify what exact version under 5.2.4
     as when I personally install the operator, I see 5.2.4-17 as the version.

   - What is the difference between a "stable" channel in Elasticsearch Operator
     which CU sees and has 5.2.2-21 version and "stable-5.2" channel and what he needs to subscribe to have the patches for CVEs.

Comment 116 errata-xmlrpc 2022-01-11 17:56:54 UTC
This issue has been addressed in the following products:

  RHPAM 7.11.1

Via RHSA-2022:0082 https://access.redhat.com/errata/RHSA-2022:0082

Comment 118 errata-xmlrpc 2022-01-20 09:26:57 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.2
  7.9.1
  7.10.1

Via RHSA-2022:0203 https://access.redhat.com/errata/RHSA-2022:0203

Comment 120 errata-xmlrpc 2022-01-26 15:54:30 UTC
This issue has been addressed in the following products:

  RHPAM 7.12.0

Via RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296

Comment 122 Mike Murphy 2022-02-02 22:42:40 UTC
(In reply to Stoyan Nikolov from comment #67)
> Red Hat Virtualization ships rhvm-appliance which includes a vulnerable
> version of log4j released by Red Hat EAP. Once EAP releases a fixed version
> of the package Red Hat Virtualization users can consume the fix with a
> regular update via the package manager inside the rhvm-appliance.


We are running: rhvm-4.4.9.5-0.1.el8ev.noarch

Our question is what is the impact of removing the log4j RPM's on a Hosted Engine?

We have these log4j RPMs installed:
# rpm -qa | grep log4j
log4j12-1.2.17-22.module+el8+2598+06babf2e.noarch
ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch
eap7-log4j2-jboss-logmanager-1.0.0-1.Final_redhat_00001.1.el8eap.noarch
eap7-log4j-jboss-logmanager-1.2.0-1.Final_redhat_00001.1.el8eap.noarch
eap7-log4j-2.14.0-1.redhat_00002.1.el8eap.noarch

What is the impact of removing them? Specifically, can we remove the 2.14 version without impact? Is this affected by the CVE?

Comment 123 Greg Scott 2022-02-02 23:47:49 UTC
> We are running: rhvm-4.4.9.5-0.1.el8ev.noarch
> 
> Our question is what is the impact of removing the log4j RPM's on a Hosted
> Engine?
> 
> We have these log4j RPMs installed:
> # rpm -qa | grep log4j
> log4j12-1.2.17-22.module+el8+2598+06babf2e.noarch
> ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch
> eap7-log4j2-jboss-logmanager-1.0.0-1.Final_redhat_00001.1.el8eap.noarch
> eap7-log4j-jboss-logmanager-1.2.0-1.Final_redhat_00001.1.el8eap.noarch
> eap7-log4j-2.14.0-1.redhat_00002.1.el8eap.noarch
> 
> What is the impact of removing them? Specifically, can we remove the 2.14
> version without impact? Is this affected by the CVE?

RHVM 4.4.z should not install any any log4j v2 at all. See the diagnostic steps in https://access.redhat.com/solutions/6611691 for the log4j components installed with RHVM 4.4.

Comment 124 José Enrique 2022-02-22 16:20:26 UTC
Hi team,

We have a customer asking if it is possible to remove the log4j dependencies, as comment #122 suggested. 

They has updated to the last 4.4.10 version and removed log4j package, but they want to remove all eap7-logj packages.


Note You need to log in before you can comment on or make changes to this bug.