Which Log4j 2.x CVEs do the 7.8 - 7.10 CVE patches fix?
Issue
The Fuse 7.8, 7.9 and 7.10 Log4j 2.x CVE patches seem to fix a different set of Log4j CVEs according to the output of the patch:show
Karaf command and the patch-maven-plugin
.
Fuse 7.10 Patch 1
Lists four CVE fixes:
karaf@root()> patch:show fuse-karaf-maintenance-patch-7.10.0.fuse-sb2-7_10_0-00019-redhat-00002
Patch ID: fuse-karaf-maintenance-patch-7.10.0.fuse-sb2-7_10_0-00019-redhat-00002
Patch Commit ID: b105506c8642b2962e78b5ccea53a4646adba3ca
#### 4 CVE fixes:
- CVE-2021-44228: log4j-core: remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2030932
CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
- CVE-2021-45046: log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern
Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2032580
CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046
- CVE-2021-45105: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern
Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2034067
CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45105
- CVE-2021-44832: log4j-core: remote code execution via JDBC Appender
Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2035951
CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44832
Fuse 7.9 Patch 1
Lists two CVE fixes:
karaf@root()> patch:show fuse-karaf-maintenance-patch-7.9.0.fuse-sb2-790067-redhat-00002
Patch ID: fuse-karaf-maintenance-patch-7.9.0.fuse-sb2-790067-redhat-00002
Patch Commit ID: a6fe0535e0f4b29f5f1d6146f59875a272b4015f
#### 2 CVE fixes:
- CVE-2021-44228: log4j-core: remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2030932
CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
- CVE-2021-44832: log4j-core: remote code execution via JDBC Appender
Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2035951
CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44832
Fuse 7.8 Patch 2
Lists three CVE fixes:
karaf@root()> patch:show fuse-karaf-maintenance-patch-7.8.0.fuse-sb2-780051-redhat-00001
Patch ID: fuse-karaf-maintenance-patch-7.8.0.fuse-sb2-780051-redhat-00001
Patch Commit ID: c135681313123cfb2a010e84ed96a76b14249ee8
#### 3 CVE fixes:
- CVE-2020-28052: bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1912881
CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28052
- CVE-2021-44228: log4j-core: remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2030932
CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
- CVE-2021-44832: log4j-core: remote code execution via JDBC Appender
Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=2035951
CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44832
Similar output is provided by the patch-maven-plugin
for Spring Boot.
Environment
- Red Hat Fuse
- Log4j CVEs
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.