Описание
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.
Отчет
Although we have matched Apache's CVSS score, with the exception of the scope metric which will remain unaltered at "unchanged"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw. We have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. In certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient. This issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. Prerequisites to exploit this flaw are :
- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
- A log statement in the endpoint that logs the attacker controlled data.
- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId})
In most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property
log4j2.noFormatMsgLookupto `true) does NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. For Elasticsearch, as shipped in OpenShift 3.11, the "log4j2.formatMsgNoLookups=true" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation: https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2 https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 For CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.
Меры по смягчению последствий
For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | log4j-core | Not affected | ||
| Red Hat AMQ Broker 7 | log4j | Not affected | ||
| Red Hat build of Quarkus | log4j-core | Not affected | ||
| Red Hat CodeReady Studio 12 | log4j-core | Affected | ||
| Red Hat Decision Manager 7 | log4j-core | Not affected | ||
| Red Hat Enterprise Linux 6 | log4j | Not affected | ||
| Red Hat Enterprise Linux 7 | log4j | Not affected | ||
| Red Hat Enterprise Linux 8 | parfait:0.5/log4j12 | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | log4j | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | log4j-core | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2. ...
Уязвимость компонента JNDI библиотеки журналирования Java-программ Apache Log4j2, позволяющая нарушителю выполнить произвольный код
EPSS
8.1 High
CVSS3