Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack. This issue is being tracked as LOG4J2-3230 Mitigation: Implement one of the following mitigation techniques: * Java 8 (or later) users should upgrade to release 2.17.0. Alternatively, this can be mitigated in configuration: * In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). * Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. Reference: https://logging.apache.org/log4j/2.x/security.html https://www.openwall.com/lists/oss-security/2021/12/19/1 https://issues.apache.org/jira/browse/LOG4J2-3230
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 2034082]
Upstream patch: https://github.com/apache/logging-log4j2/commit/806023265f8c905b2dd1d81fd2458f64b2ea0b5e
Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.
will JWS 3.x/5.x and Apache httpd also get affected?
Is AMQ broker 7.x get affected?
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-45105
In reply to comment #17: > will JWS 3.x/5.x and Apache httpd also get affected? They are not affected.
Hello Team, Is this https://access.redhat.com/security/cve/cve-2021-45105 fixed in Openshift 3.11.570? Looking for RHSA but the CVE page didn't update: https://access.redhat.com/security/cve/cve-2021-45105 Please help with the same.
This issue has been addressed in the following products: OpenShift Logging 5.1 Via RHSA-2022:0042 https://access.redhat.com/errata/RHSA-2022:0042
This issue has been addressed in the following products: OpenShift Logging 5.2 Via RHSA-2022:0043 https://access.redhat.com/errata/RHSA-2022:0043
This issue has been addressed in the following products: OpenShift Logging 5.3 Via RHSA-2022:0044 https://access.redhat.com/errata/RHSA-2022:0044
This issue has been addressed in the following products: OpenShift Logging 5.0 Via RHSA-2022:0047 https://access.redhat.com/errata/RHSA-2022:0047
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:0026 https://access.redhat.com/errata/RHSA-2022:0026
This issue has been addressed in the following products: Red Hat Fuse 7.8.2 7.9.1 7.10.1 Via RHSA-2022:0203 https://access.redhat.com/errata/RHSA-2022:0203
This issue has been addressed in the following products: Red Hat Data Grid 8.2.3 Via RHSA-2022:0205 https://access.redhat.com/errata/RHSA-2022:0205
This issue has been addressed in the following products: Vert.x 4.1.8 Via RHSA-2022:0083 https://access.redhat.com/errata/RHSA-2022:0083
This issue has been addressed in the following products: EAP 7.4 log4j async Via RHSA-2022:0216 https://access.redhat.com/errata/RHSA-2022:0216
This issue has been addressed in the following products: Red Hat AMQ Streams 1.6.6 Via RHSA-2022:0219 https://access.redhat.com/errata/RHSA-2022:0219
This issue has been addressed in the following products: Red Hat Integration Camel Extensions for Quarkus 2.2 Via RHSA-2022:0222 https://access.redhat.com/errata/RHSA-2022:0222
This issue has been addressed in the following products: Red Hat Integration Camel-K 1.6.3 Via RHSA-2022:0223 https://access.redhat.com/errata/RHSA-2022:0223
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297
This issue has been addressed in the following products: EAP 7.4.4 release Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2022:1469 https://access.redhat.com/errata/RHSA-2022:1469
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:1462 https://access.redhat.com/errata/RHSA-2022:1462
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:1463 https://access.redhat.com/errata/RHSA-2022:1463