Which Log4j 2.x CVEs do the 7.8 - 7.10 CVE patches fix?

Solution Verified - Updated -

Issue

The Fuse 7.8, 7.9 and 7.10 Log4j 2.x CVE patches seem to fix a different set of Log4j CVEs according to the output of the patch:show Karaf command and the patch-maven-plugin.

Fuse 7.10 Patch 1

Lists four CVE fixes:

karaf@root()> patch:show fuse-karaf-maintenance-patch-7.10.0.fuse-sb2-7_10_0-00019-redhat-00002
Patch ID: fuse-karaf-maintenance-patch-7.10.0.fuse-sb2-7_10_0-00019-redhat-00002
Patch Commit ID: b105506c8642b2962e78b5ccea53a4646adba3ca
#### 4 CVE fixes:
 - CVE-2021-44228: log4j-core: remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
   Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2030932
   CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
 - CVE-2021-45046: log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern
   Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2032580
   CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
 - CVE-2021-45105: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern
   Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2034067
   CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45105
 - CVE-2021-44832: log4j-core: remote code execution via JDBC Appender
   Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2035951
   CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44832

Fuse 7.9 Patch 1

Lists two CVE fixes:

karaf@root()> patch:show fuse-karaf-maintenance-patch-7.9.0.fuse-sb2-790067-redhat-00002
Patch ID: fuse-karaf-maintenance-patch-7.9.0.fuse-sb2-790067-redhat-00002
Patch Commit ID: a6fe0535e0f4b29f5f1d6146f59875a272b4015f
#### 2 CVE fixes:
 - CVE-2021-44228: log4j-core: remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
   Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2030932
   CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
 - CVE-2021-44832: log4j-core: remote code execution via JDBC Appender
   Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2035951
   CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44832

Fuse 7.8 Patch 2

Lists three CVE fixes:

karaf@root()> patch:show fuse-karaf-maintenance-patch-7.8.0.fuse-sb2-780051-redhat-00001
Patch ID: fuse-karaf-maintenance-patch-7.8.0.fuse-sb2-780051-redhat-00001
Patch Commit ID: c135681313123cfb2a010e84ed96a76b14249ee8
#### 3 CVE fixes:
 - CVE-2020-28052: bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
   Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1912881
   CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28052
 - CVE-2021-44228: log4j-core: remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
   Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2030932
   CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
 - CVE-2021-44832: log4j-core: remote code execution via JDBC Appender
   Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2035951
   CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44832

Similar output is provided by the patch-maven-plugin for Spring Boot.

Environment

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content