openSUSE-SU-2022:0002-1

Опубликовано: 02 янв. 2022

Источник: suse-cvrf

Описание

Security update for log4j

This update for log4j fixes the following issues:

CVE-2021-44832: Fixes a remote code execution via JDBC Appender (bsc#1194127)

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Список пакетов

openSUSE Leap 15.2

log4j-2.17.0-lp152.3.15.1

log4j-javadoc-2.17.0-lp152.3.15.1

log4j-jcl-2.17.0-lp152.3.15.1

log4j-slf4j-2.17.0-lp152.3.15.1

Ссылки

https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YBITTL424FAEN3BI2PM3NGBMPREUS3P4/
E-Mail link for openSUSE-SU-2022:0002-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1194127
SUSE Bug 1194127
https://www.suse.com/security/cve/CVE-2021-44832/
SUSE CVE CVE-2021-44832 page

Описание

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Затронутые продукты

openSUSE Leap 15.2:log4j-2.17.0-lp152.3.15.1

openSUSE Leap 15.2:log4j-javadoc-2.17.0-lp152.3.15.1

openSUSE Leap 15.2:log4j-jcl-2.17.0-lp152.3.15.1

openSUSE Leap 15.2:log4j-slf4j-2.17.0-lp152.3.15.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-44832.html
CVE-2021-44832
https://bugzilla.suse.com/1194127
SUSE Bug 1194127

openSUSE-SU-2022:0002-1

Описание

Список пакетов

openSUSE Leap 15.2

Ссылки

Уязвимость: CVE-2021-44832

Описание

Затронутые продукты

Ссылки