In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. https://cve.report/CVE-2021-42550 https://jira.qos.ch/browse/LOGBACK-1591
References: https://jira.qos.ch/browse/LOGBACK-1591
Red Hat Satellite does not give write access to the logback.xml nor use scan attribute in `<configuration>` element of the configuration file; thus product is not vulnerable and mentioned exploit is not possible to perform.
This issue has been addressed in the following products: RHPAM 7.12.1 Via RHSA-2022:1108 https://access.redhat.com/errata/RHSA-2022:1108
This issue has been addressed in the following products: RHDM 7.12.1 Via RHSA-2022:1110 https://access.redhat.com/errata/RHSA-2022:1110
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-42550
This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532