CVE-2021-44228 flaw in Apache Log4j versions 2.0.0 and before 2.15.0

CVE-2021-44228 Log4j

See security bulletin for updates on log4j issue and recommendations to manage the risk. Additional resource: FAQ

Please see the below relevant official Red Hat links below for specifics relating to this matter. The Red Hat links below provide appropriate actions to take.:

Description

• A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.

Vulnerability Response

https://access.redhat.com/security/vulnerabilities/RHSB-2021-009

Statement

This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:

• A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
• A log statement in the endpoint that logs the attacker controlled data.

Not Affected Products:

The following products are NOT affected by this flaw and have been explicitly listed here for the benefit of Red Hat customers.

• RHEL 6, RHEL 7, RHEL 8
• Red Hat Cost Management
• Red Hat Advanced Cluster Management for Kubernetes
• Red Hat Ansible Automation Platform (Engine and Tower)
• Red Hat Certificate System
• Red Hat Directory Server
• Red Hat Identity Management
• Red Hat CloudForms
• Red Hat Update Infrastructure
• Red Hat Satellite

Affected products:

The following Red Hat product versions are directly affected:

• Red Hat JBoss (various, please see this link)
• Red Hat CodeReady Studio 12
• Red Hat OpenStack Platform 13
• Red Hat Integration Camel K
• Red Hat Integration Camel Quarkus
• Red Hat OpenShift Application Runtimes Vert.X 4
• Red Hat Fuse 7
• Red Hat OpenShift 4
• Red Hat OpenShift 3.11
• Red Hat OpenShift Logging
• Red Hat Data Grid 8
• Red Hat AMQ Streaming

MITIGATION

Please refer to specific mitigation steps at this Red Hat link: https://access.redhat.com/security/cve/cve-2021-44228

OpenShift 4/OpenShift Logging

• On OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following this article: https://access.redhat.com/solutions/6578421

Affected and Unaffected Products and Packages

Please see this Red Hat link for the entire list of affected/unaffected products/packages.

Red Hat Security Bulletin

RHSB-2021-009 Log4shell Remote Code Execution

External References

• https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
• https://logging.apache.org/log4j/2.x/security.html
• https://www.lunasec.io/docs/blog/log4j-zero-day/
• randori.com/blog/cve-2021-44228
• VMware Impact & Remediation Analysis

Regards,
RJ