CVE-2021-44228 flaw in Apache Log4j versions 2.0.0 and before 2.15.0

Latest response

CVE-2021-44228 Log4j

See security bulletin for updates on log4j issue and recommendations to manage the risk. Additional resource: FAQ

Please see the below relevant official Red Hat links below for specifics relating to this matter. The Red Hat links below provide appropriate actions to take.:

Description

  • A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.

Vulnerability Response

https://access.redhat.com/security/vulnerabilities/RHSB-2021-009

Statement

This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:

  • A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
  • A log statement in the endpoint that logs the attacker controlled data.

Not Affected Products:

The following products are NOT affected by this flaw and have been explicitly listed here for the benefit of Red Hat customers.

  • RHEL 6, RHEL 7, RHEL 8
  • Red Hat Cost Management
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Ansible Automation Platform (Engine and Tower)
  • Red Hat Certificate System
  • Red Hat Directory Server
  • Red Hat Identity Management
  • Red Hat CloudForms
  • Red Hat Update Infrastructure
  • Red Hat Satellite

Affected products:

The following Red Hat product versions are directly affected:

  • Red Hat JBoss (various, please see this link)
  • Red Hat CodeReady Studio 12
  • Red Hat OpenStack Platform 13
  • Red Hat Integration Camel K
  • Red Hat Integration Camel Quarkus
  • Red Hat OpenShift Application Runtimes Vert.X 4
  • Red Hat Fuse 7
  • Red Hat OpenShift 4
  • Red Hat OpenShift 3.11
  • Red Hat OpenShift Logging
  • Red Hat Data Grid 8
  • Red Hat AMQ Streaming

MITIGATION

Please refer to specific mitigation steps at this Red Hat link: https://access.redhat.com/security/cve/cve-2021-44228

OpenShift 4/OpenShift Logging

Affected and Unaffected Products and Packages

Please see this Red Hat link for the entire list of affected/unaffected products/packages.

Red Hat Security Bulletin

RHSB-2021-009 Log4shell Remote Code Execution

External References

Regards,
RJ

Responses