New subject: [Bug 2032580] CVE-2021-45046 log4j-core: thread context message pattern and context lookup pattern vulnerable to DoS

Tuesday, 14 December 2021

https://bugzilla.redhat.com/show_bug.cgi?id=2032580

            Bug ID: 2032580
           Summary: CVE-2021-45046 log4j-core: thread context message
                    pattern and  context lookup pattern vulnerable to DoS
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
         Component: vulnerability
          Keywords: Security
          Severity: low
          Priority: low
          Assignee: security-response-team(a)redhat.com
          Reporter: gsuckevi(a)redhat.com
                CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
                    akoufoud(a)redhat.com, alazarot(a)redhat.com,
                    almorale(a)redhat.com, anstephe(a)redhat.com,
                    aos-bugs(a)redhat.com, asoldano(a)redhat.com,
                    atangrin(a)redhat.com, ataylor(a)redhat.com,
                    avibelli(a)redhat.com, bbaranow(a)redhat.com,
                    bbuckingham(a)redhat.com, bcourt(a)redhat.com,
                    bdettelb(a)redhat.com, bgeorges(a)redhat.com,
                    bibryam(a)redhat.com, bkearney(a)redhat.com,
                    bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
                    boliveir(a)redhat.com, brian.stansberry(a)redhat.com,
                    btotty(a)redhat.com, caswilli(a)redhat.com,
                    cdewolf(a)redhat.com, chazlett(a)redhat.com,
                    clement.escoffier(a)redhat.com, dandread(a)redhat.com,
                    darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
                    dbhole(a)redhat.com, devrim(a)gunduz.org,
                    dkreling(a)redhat.com, dosoudil(a)redhat.com,
                    drieden(a)redhat.com, ehelms(a)redhat.com,
                    eleandro(a)redhat.com, eparis(a)redhat.com,
                    etirelli(a)redhat.com, ewolinet(a)redhat.com,
                    fjuma(a)redhat.com, ggaughan(a)redhat.com,
                    gmalinko(a)redhat.com, gsmet(a)redhat.com,
                    hamadhan(a)redhat.com, hbraun(a)redhat.com,
                    hhorak(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com,
                    janstey(a)redhat.com,
                    java-sig-commits(a)lists.fedoraproject.org,
                    jburrell(a)redhat.com, jcantril(a)redhat.com,
                    jjoyce(a)redhat.com, jnethert(a)redhat.com,
                    jochrist(a)redhat.com, jokerman(a)redhat.com,
                    jorton(a)redhat.com, jpallich(a)redhat.com,
                    jperkins(a)redhat.com, jrokos(a)redhat.com,
                    jross(a)redhat.com, jschluet(a)redhat.com,
                    jsherril(a)redhat.com, jstastny(a)redhat.com,
                    jwon(a)redhat.com, kaycoth(a)redhat.com,
                    krathod(a)redhat.com, kverlaen(a)redhat.com,
                    kwills(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com,
                    lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com,
                    mburns(a)redhat.com, mhulan(a)redhat.com,
                    mizdebsk(a)redhat.com, mkolesni(a)redhat.com,
                    mmccune(a)redhat.com, mnovotny(a)redhat.com,
                    msochure(a)redhat.com, msvehla(a)redhat.com,
                    mszynkie(a)redhat.com, myarboro(a)redhat.com,
                    nmoumoul(a)redhat.com, nstielau(a)redhat.com,
                    nwallace(a)redhat.com, orabin(a)redhat.com,
                    pantinor(a)redhat.com, paul.wouters(a)aiven.io,
                    pcreech(a)redhat.com, pdelbell(a)redhat.com,
                    pdrozd(a)redhat.com, peholase(a)redhat.com,
                    pgallagh(a)redhat.com, pjindal(a)redhat.com,
                    pmackay(a)redhat.com, probinso(a)redhat.com,
                    rchan(a)redhat.com, rguimara(a)redhat.com,
                    rrajasek(a)redhat.com, rruss(a)redhat.com,
                    rstancel(a)redhat.com, rsvoboda(a)redhat.com,
                    sbiarozk(a)redhat.com, sclewis(a)redhat.com,
                    scohen(a)redhat.com, sd-operator-metering(a)redhat.com,
                    sdouglas(a)redhat.com, slinaber(a)redhat.com,
                    smaestri(a)redhat.com, sponnaga(a)redhat.com,
                    sthorger(a)redhat.com, swoodman(a)redhat.com,
                    tbrisker(a)redhat.com, tflannag(a)redhat.com,
                    tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com,
                    vkumar(a)redhat.com, yborgess(a)redhat.com
  Target Milestone: ---
    Classification: Other

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was
incomplete in certain non-default configurations. This could allows attackers
with control over Thread Context Map (MDC) input data when the logging
configuration uses a non-default Pattern Layout with either a Context Lookup
(for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or
%MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a
denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to
localhost by default. Note that previous mitigations involving configuration
such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT
mitigate this specific vulnerability.

Log4j 2.16.0 fixes this issue by removing support for message lookup patterns
and disabling JNDI functionality by default.  

This issue can be mitigated in prior releases (<2.16.0) by removing the
JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class).

Reference:
https://www.openwall.com/lists/oss-security/2021/12/14/4

-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2032580

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[Bug 2032580] New: CVE-2021-45046 log4j-core: thread context message pattern and context lookup pattern vulnerable to DoS