Updated log4j packages fix security vulnerability
Publication date: 11 Dec 2021Modification date: 11 Dec 2021
Type: security
Affected Mageia releases : 8
CVE: CVE-2021-44228
Description
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages,
and parameters do not protect against attacker controlled LDAP and other
JNDI related endpoints. An attacker who can control log messages or log
message parameters can execute arbitrary code loaded from LDAP servers
when message lookup substitution is enabled. From log4j 2.15.0, this
behavior has been disabled by default. (CVE-2021-44228)
References
SRPMS
8/core
- log4j-2.13.3-1.1.mga8