Am I affected by CVE-2021-44228

Solution In Progress - Updated -

Environment

Red Hat Enterprise Linux 6,7,8

Issue

A flaw was found in the Java logging library Apache Log4j in versions from 2.0.0 and before as well as version 2.15.0. This allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.

Resolution

For details of the vulnerability and affected products, refer CVE 2021-44228

For more detailed information please refer to the security bulletin or the FAQ - CVE-2021-44228 Common Issues and Questions

Please note that only following products are impacted by this vulnerability

Red Hat CodeReady Studio 12
Red Hat OpenStack Platform 13
Red Hat Integration Camel K
Red Hat Integration Camel Quarkus
Red Hat OpenShift Application Runtimes Vert.X 4
Red Hat JBoss Fuse 7
Red Hat OpenShift 4
Red Hat OpenShift 3.11
Red Hat OpenShift Logging
Red Hat Data Grid 8
Red Hat JBoss AMQ Streaming

RHEL products are not included in the list as these are not impacted by this vulnerability.

Red Hat Enterprise Linux 6      log4j   Not affected           
Red Hat Enterprise Linux 7      log4j   Not affected   
Red Hat Enterprise Linux 8      parfait:0.5/log4j12     Not affected   

You can safely ignore this vulnerability on RHEL versions as this does not affect RHEL.

For concerns regarding version 1 of log4j please refer to CVE-2021-4104

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.