Apache Log4j — библиотека журналирования (логирования) Java-программ
Релизный цикл, информация об уязвимостях
График релизов
Количество 106
SUSE-SU-2021:14866-1
Security update for log4j
openSUSE-SU-2021:4109-1
Security update for logback
BDU:2022-02946
Уязвимость программы для журналирования Java-программ Log4j, связанная с небезопасным управлением привилегиями, позволяющая нарушителю выполнить произвольный код
openSUSE-SU-2021:1586-1
Security update for log4j
GHSA-fp5r-v3w9-4333
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data
CVE-2021-45046
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CVE-2021-45046
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2. ...
CVE-2021-45046
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
GHSA-7rjr-3q55-vv33
Incomplete fix for Apache Log4j vulnerability
CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | SUSE-SU-2021:14866-1 Security update for log4j | 73% Высокий | больше 3 лет назад | |
| openSUSE-SU-2021:4109-1 Security update for logback | 94% Критический | больше 3 лет назад | |
 | BDU:2022-02946 Уязвимость программы для журналирования Java-программ Log4j, связанная с небезопасным управлением привилегиями, позволяющая нарушителю выполнить произвольный код | CVSS3: 8.8 | 0% Низкий | больше 3 лет назад |
| openSUSE-SU-2021:1586-1 Security update for log4j | 94% Критический | больше 3 лет назад | |
| GHSA-fp5r-v3w9-4333 JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data | CVSS3: 7.5 | 73% Высокий | больше 3 лет назад |
 | CVE-2021-45046 It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default. | CVSS3: 9 | 94% Критический | больше 3 лет назад |
| CVE-2021-45046 It was found that the fix to address CVE-2021-44228 in Apache Log4j 2. ... | CVSS3: 9 | 94% Критический | больше 3 лет назад |
 | CVE-2021-45046 It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default. | CVSS3: 9 | 94% Критический | больше 3 лет назад |
| GHSA-7rjr-3q55-vv33 Incomplete fix for Apache Log4j vulnerability | CVSS3: 9 | 94% Критический | больше 3 лет назад |
| CVE-2021-4104 JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. | CVSS3: 7.5 | 73% Высокий | больше 3 лет назад |
Уязвимостей на страницу