It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Reference: https://www.openwall.com/lists/oss-security/2021/12/14/4
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 2032581]
upstream advisory: https://logging.apache.org/log4j/2.x/security.html
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:5148 https://access.redhat.com/errata/RHSA-2021:5148
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:5106 https://access.redhat.com/errata/RHSA-2021:5106
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:5141 https://access.redhat.com/errata/RHSA-2021:5141
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:5107 https://access.redhat.com/errata/RHSA-2021:5107
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-45046
Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.
And what about the fix for Red Hat JBoss Enterprise Application Platform 7 marked as affected?
This issue has been addressed in the following products: Red Hat Fuse 7.8.2 7.9.1 7.10.1 Via RHSA-2022:0203 https://access.redhat.com/errata/RHSA-2022:0203
This issue has been addressed in the following products: Red Hat Data Grid 8.2.3 Via RHSA-2022:0205 https://access.redhat.com/errata/RHSA-2022:0205
This issue has been addressed in the following products: Vert.x 4.1.8 Via RHSA-2022:0083 https://access.redhat.com/errata/RHSA-2022:0083
This issue has been addressed in the following products: EAP 7.4 log4j async Via RHSA-2022:0216 https://access.redhat.com/errata/RHSA-2022:0216
This issue has been addressed in the following products: Red Hat Integration Camel Extensions for Quarkus 2.2 Via RHSA-2022:0222 https://access.redhat.com/errata/RHSA-2022:0222
This issue has been addressed in the following products: Red Hat Integration Camel-K 1.6.3 Via RHSA-2022:0223 https://access.redhat.com/errata/RHSA-2022:0223
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297
This issue has been addressed in the following products: EAP 7.4.4 release Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299