https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Bug ID: 2034067 Summary: CVE-2021-45105 log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: jwon@redhat.com CC: aboyko@redhat.com, ahenning@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, aos-bugs@redhat.com, asoldano@redhat.com, atangrin@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bdettelb@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, clement.escoffier@redhat.com, crarobin@redhat.com, dandread@redhat.com, darran.lofthouse@redhat.com, dbhole@redhat.com, devrim@gunduz.org, dkreling@redhat.com, dosoudil@redhat.com, eleandro@redhat.com, eparis@redhat.com, etirelli@redhat.com, ewolinet@redhat.com, fjuma@redhat.com, gsmet@redhat.com, hamadhan@redhat.com, ibek@redhat.com, iweiss@redhat.com, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jcantril@redhat.com, jmadigan@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jrokos@redhat.com, jstastny@redhat.com, jwon@redhat.com, kaycoth@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lgao@redhat.com, lthon@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, ngough@redhat.com, nstielau@redhat.com, nwallace@redhat.com, pamccart@redhat.com, paul.wouters@aiven.io, peholase@redhat.com, pgallagh@redhat.com, pjindal@redhat.com, pmackay@redhat.com, probinso@redhat.com, pskopek@redhat.com, rguimara@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, sbiarozk@redhat.com, sd-operator-metering@redhat.com, sdouglas@redhat.com, sguilhen@redhat.com, smaestri@redhat.com, sponnaga@redhat.com, tflannag@redhat.com, tom.jenkinson@redhat.com, tzimanyi@redhat.com, vkumar@redhat.com, yborgess@redhat.com Blocks: 2030930 Target Milestone: --- Classification: Other
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.
This issue is being tracked as LOG4J2-3230
Mitigation:
Implement one of the following mitigation techniques:
* Java 8 (or later) users should upgrade to release 2.17.0.
Alternatively, this can be mitigated in configuration:
* In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). * Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Reference: https://logging.apache.org/log4j/2.x/security.html https://www.openwall.com/lists/oss-security/2021/12/19/1 https://issues.apache.org/jira/browse/LOG4J2-3230
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2034082
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2034082 [Bug 2034082] CVE-2021-45105 log4j: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #1 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- Created log4j tracking bugs for this issue:
Affects: fedora-all [bug 2034082]
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #2 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- Upstream patch: https://github.com/apache/logging-log4j2/commit/806023265f8c905b2dd1d81fd245...
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2034083, 2034084
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2034091, 2034089, 2034090
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Doc Text *updated* by Paramvir jindal pjindal@redhat.com --- A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Florencio Cano fcanogab@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2034148
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Florencio Cano fcanogab@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fcanogab@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #16 from Yadnyawalk Tale ytale@redhat.com --- Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Bin Hu bihu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bihu@redhat.com
--- Comment #17 from Bin Hu bihu@redhat.com --- will JWS 3.x/5.x and Apache httpd also get affected?
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #18 from Bin Hu bihu@redhat.com --- Is AMQ broker 7.x get affected?
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2030985
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #19 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2021-45105
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-12-22 00:20:31
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #20 from Ted Jongseok Won jwon@redhat.com --- In reply to comment #17:
will JWS 3.x/5.x and Apache httpd also get affected?
They are not affected.
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Mithilesh Kaur Bagga mbagga@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mbagga@redhat.com, | |security-response-team@redh | |at.com Flags| |needinfo?(security-response | |-team@redhat.com)
--- Comment #21 from Mithilesh Kaur Bagga mbagga@redhat.com --- Hello Team,
Is this https://access.redhat.com/security/cve/cve-2021-45105 fixed in Openshift 3.11.570?
Looking for RHSA but the CVE page didn't update: https://access.redhat.com/security/cve/cve-2021-45105
Please help with the same.
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(security-response |needinfo?(jwon@redhat.com) |-team@redhat.com) |
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Yasuhiro Ozone yozone@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(security-response | |-team@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(security-response |needinfo?(jwon@redhat.com) |-team@redhat.com) |
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |sfowler@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Ted Jongseok Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jwon@redhat.com) | |needinfo?(jwon@redhat.com) |
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Ted Jongseok Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version|log4j 2.17.0 |log4j 2.17.0, log4j 2.12.3, | |log4j 2.3.1
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Yasuhiro Ozone yozone@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(security-response | |-team@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(security-response |needinfo?(jwon@redhat.com) |-team@redhat.com) |
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Ted Jongseok Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ytale@redhat.com Flags|needinfo?(jwon@redhat.com) |needinfo?(ytale@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Yadnyawalk Tale ytale@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(ytale@redhat.com) |
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Rahul Rajendran rpalathi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rpalathi@redhat.com Flags| |needinfo?(security-response | |-team@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(security-response |needinfo?(jwon@redhat.com) |-team@redhat.com) |
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Ted Jongseok Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |hvyas@redhat.com Flags|needinfo?(jwon@redhat.com) |needinfo?(hvyas@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
Hardik Vyas hvyas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(hvyas@redhat.com) |
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #35 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
OpenShift Logging 5.1
Via RHSA-2022:0042 https://access.redhat.com/errata/RHSA-2022:0042
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0042
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #36 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
OpenShift Logging 5.2
Via RHSA-2022:0043 https://access.redhat.com/errata/RHSA-2022:0043
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0043
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #37 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
OpenShift Logging 5.3
Via RHSA-2022:0044 https://access.redhat.com/errata/RHSA-2022:0044
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0044
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #38 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
OpenShift Logging 5.0
Via RHSA-2022:0047 https://access.redhat.com/errata/RHSA-2022:0047
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0047
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #39 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.6
Via RHSA-2022:0026 https://access.redhat.com/errata/RHSA-2022:0026
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0026
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #40 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.8.2 7.9.1 7.10.1
Via RHSA-2022:0203 https://access.redhat.com/errata/RHSA-2022:0203
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0203
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #41 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Data Grid 8.2.3
Via RHSA-2022:0205 https://access.redhat.com/errata/RHSA-2022:0205
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0205
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #42 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Vert.x 4.1.8
Via RHSA-2022:0083 https://access.redhat.com/errata/RHSA-2022:0083
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0083
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #43 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
EAP 7.4 log4j async
Via RHSA-2022:0216 https://access.redhat.com/errata/RHSA-2022:0216
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0216
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #44 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ Streams 1.6.6
Via RHSA-2022:0219 https://access.redhat.com/errata/RHSA-2022:0219
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0219
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #45 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Integration Camel Extensions for Quarkus 2.2
Via RHSA-2022:0222 https://access.redhat.com/errata/RHSA-2022:0222
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0222
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #46 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Integration Camel-K 1.6.3
Via RHSA-2022:0223 https://access.redhat.com/errata/RHSA-2022:0223
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0223
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #47 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:1296
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #48 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:1297
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #49 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
EAP 7.4.4 release
Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:1299
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #50 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Single Sign-On
Via RHSA-2022:1469 https://access.redhat.com/errata/RHSA-2022:1469
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:1469
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #51 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Single Sign-On 7.5 for RHEL 7
Via RHSA-2022:1462 https://access.redhat.com/errata/RHSA-2022:1462
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:1462
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
--- Comment #52 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Single Sign-On 7.5 for RHEL 8
Via RHSA-2022:1463 https://access.redhat.com/errata/RHSA-2022:1463
https://bugzilla.redhat.com/show_bug.cgi?id=2034067
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:1463
https://bugzilla.redhat.com/show_bug.cgi?id=2034067 Bug 2034067 depends on bug 2034082, which changed state.
Bug 2034082 Summary: CVE-2021-45105 log4j: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2034082
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org