Bug 2032580 (CVE-2021-45046) - CVE-2021-45046 log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)
Summary: CVE-2021-45046 log4j-core: DoS in log4j 2.x with thread context message patte...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-45046
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2030985 2030987 2030989 2030990 2030991 2031028 2032581 2032754 2034754
Blocks: 2030930 2030986
TreeView+ depends on / blocked
 
Reported: 2021-12-14 18:30 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-11 13:01 UTC (History)
134 users (show)

Fixed In Version: log4j 2.16.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.
Clone Of:
Environment:
Last Closed: 2021-12-16 16:56:56 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:5106 0 None None None 2021-12-16 06:13:44 UTC
Red Hat Product Errata RHSA-2021:5107 0 None None None 2021-12-16 15:00:34 UTC
Red Hat Product Errata RHSA-2021:5141 0 None None None 2021-12-16 07:50:15 UTC
Red Hat Product Errata RHSA-2021:5148 0 None None None 2021-12-15 20:09:48 UTC
Red Hat Product Errata RHSA-2022:0083 0 None None None 2022-01-20 12:13:12 UTC
Red Hat Product Errata RHSA-2022:0203 0 None None None 2022-01-20 09:27:06 UTC
Red Hat Product Errata RHSA-2022:0205 0 None None None 2022-01-20 11:40:37 UTC
Red Hat Product Errata RHSA-2022:0216 0 None None None 2022-01-20 16:00:19 UTC
Red Hat Product Errata RHSA-2022:0222 0 None None None 2022-01-20 18:54:42 UTC
Red Hat Product Errata RHSA-2022:0223 0 None None None 2022-01-20 18:57:01 UTC
Red Hat Product Errata RHSA-2022:1296 0 None None None 2022-04-11 12:56:49 UTC
Red Hat Product Errata RHSA-2022:1297 0 None None None 2022-04-11 12:58:16 UTC
Red Hat Product Errata RHSA-2022:1299 0 None None None 2022-04-11 13:01:02 UTC

Description Guilherme de Almeida Suckevicz 2021-12-14 18:30:02 UTC
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability.

Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.  

This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Reference:
https://www.openwall.com/lists/oss-security/2021/12/14/4

Comment 1 Guilherme de Almeida Suckevicz 2021-12-14 18:30:35 UTC
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2032581]

Comment 2 Przemyslaw Roguski 2021-12-14 19:32:22 UTC
upstream advisory:
https://logging.apache.org/log4j/2.x/security.html

Comment 6 errata-xmlrpc 2021-12-15 20:09:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:5148 https://access.redhat.com/errata/RHSA-2021:5148

Comment 7 errata-xmlrpc 2021-12-16 06:13:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:5106 https://access.redhat.com/errata/RHSA-2021:5106

Comment 8 errata-xmlrpc 2021-12-16 07:50:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:5141 https://access.redhat.com/errata/RHSA-2021:5141

Comment 9 errata-xmlrpc 2021-12-16 15:00:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:5107 https://access.redhat.com/errata/RHSA-2021:5107

Comment 10 Product Security DevOps Team 2021-12-16 16:56:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-45046

Comment 12 Yadnyawalk Tale 2021-12-17 14:37:49 UTC
Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.

Comment 13 yuk 2021-12-18 15:32:16 UTC
And what about the fix for Red Hat JBoss Enterprise Application Platform 7 marked as affected?

Comment 24 errata-xmlrpc 2022-01-20 09:26:59 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.2
  7.9.1
  7.10.1

Via RHSA-2022:0203 https://access.redhat.com/errata/RHSA-2022:0203

Comment 25 errata-xmlrpc 2022-01-20 11:40:32 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 8.2.3

Via RHSA-2022:0205 https://access.redhat.com/errata/RHSA-2022:0205

Comment 26 errata-xmlrpc 2022-01-20 12:13:06 UTC
This issue has been addressed in the following products:

  Vert.x 4.1.8

Via RHSA-2022:0083 https://access.redhat.com/errata/RHSA-2022:0083

Comment 27 errata-xmlrpc 2022-01-20 16:00:12 UTC
This issue has been addressed in the following products:

  EAP 7.4 log4j async

Via RHSA-2022:0216 https://access.redhat.com/errata/RHSA-2022:0216

Comment 28 errata-xmlrpc 2022-01-20 18:54:36 UTC
This issue has been addressed in the following products:

  Red Hat Integration Camel Extensions for Quarkus 2.2

Via RHSA-2022:0222 https://access.redhat.com/errata/RHSA-2022:0222

Comment 29 errata-xmlrpc 2022-01-20 18:56:55 UTC
This issue has been addressed in the following products:

  Red Hat Integration Camel-K 1.6.3

Via RHSA-2022:0223 https://access.redhat.com/errata/RHSA-2022:0223

Comment 30 errata-xmlrpc 2022-04-11 12:56:40 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296

Comment 31 errata-xmlrpc 2022-04-11 12:58:11 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297

Comment 32 errata-xmlrpc 2022-04-11 13:00:55 UTC
This issue has been addressed in the following products:

  EAP 7.4.4 release

Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299


Note You need to log in before you can comment on or make changes to this bug.