CVE-2021-44228 flaw in Apache Log4j versions 2.0.0 and before 2.15.0

Comments 3

CVE-2021-44228 Log4j

See security bulletin for updates on log4j issue and recommendations to manage the risk. Additional resource: FAQ

Please see the below relevant official Red Hat links below for specifics relating to this matter. The Red Hat links below provide appropriate actions to take.:

Description

A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.

Vulnerability Response

https://access.redhat.com/security/vulnerabilities/RHSB-2021-009

Statement

This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:

A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
A log statement in the endpoint that logs the attacker controlled data.

Not Affected Products:

The following products are NOT affected by this flaw and have been explicitly listed here for the benefit of Red Hat customers.

RHEL 6, RHEL 7, RHEL 8
Red Hat Cost Management
Red Hat Advanced Cluster Management for Kubernetes
Red Hat Ansible Automation Platform (Engine and Tower)
Red Hat Certificate System
Red Hat Directory Server
Red Hat Identity Management
Red Hat CloudForms
Red Hat Update Infrastructure
Red Hat Satellite

Affected products:

The following Red Hat product versions are directly affected:

Red Hat JBoss (various, please see this link)
Red Hat CodeReady Studio 12
Red Hat OpenStack Platform 13
Red Hat Integration Camel K
Red Hat Integration Camel Quarkus
Red Hat OpenShift Application Runtimes Vert.X 4
Red Hat Fuse 7
Red Hat OpenShift 4
Red Hat OpenShift 3.11
Red Hat OpenShift Logging
Red Hat Data Grid 8
Red Hat AMQ Streaming

MITIGATION

Please refer to specific mitigation steps at this Red Hat link: https://access.redhat.com/security/cve/cve-2021-44228

OpenShift 4/OpenShift Logging

On OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following this article: https://access.redhat.com/solutions/6578421

Affected and Unaffected Products and Packages

Please see this Red Hat link for the entire list of affected/unaffected products/packages.

Red Hat Security Bulletin

RHSB-2021-009 Log4shell Remote Code Execution

External References

Regards,
RJ

Started 2021-12-14T16:48:23+00:00 by

RJ Hinton

Community Leader Guru 23283 points

Responses

Guru 23283 points

14 December 2021 4:55 PM

RJ Hinton

Community Leader

Please see official links from Red Hat above for specific packages, products and mitigations.

Regards,
RJ

Guru 35315 points

24 December 2021 10:26 AM

Christian Labisch

Community Leader

Thank you very much for this extremely useful summary, RJ ... everything one has to know in one place - great ! :)

Regards,
Christian

Guru 12851 points

24 December 2021 11:22 AM

ir. Jan Gerrit Kootstra

RHCSA Community Leader

Hi RJ,

A great summary.

All above applies to the log4j components that Red Hat distributes.

Always check with the application vendors what versions of log4j components they included in the software

Regards,

Jan Gerrit

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation