Advisories » MGASA-2021-0566

Updated log4j packages fix security vulnerability

Publication date: 19 Dec 2021
Modification date: 19 Dec 2021
Type: security
Affected Mageia releases : 8
CVE: CVE-2021-45046

Description

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0
was incomplete in certain non-default configurations. This could allows
attackers with control over Thread Context Map (MDC) input data when the
logging configuration uses a non-default Pattern Layout with either a
Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map
pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI
Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0
makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by
default. Log4j 2.16.0 fixes this issue by removing support for message
lookup patterns and disabling JNDI functionality by default
(CVE-2021-45046).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=29766
• https://www.openwall.com/lists/oss-security/2021/12/14/4
• https://github.com/advisories/GHSA-7rjr-3q55-vv33
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

SRPMS

8/core

• log4j-2.16.0-1.mga8