{
  "threat_severity" : "Critical",
  "public_date" : "2021-12-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046",
    "id" : "2033121",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2033121"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "details" : [ "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.", "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed." ],
  "statement" : "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\nhttps://access.redhat.com/errata/RHSA-2021:5108\nhttps://access.redhat.com/errata/RHSA-2021:5107\nhttps://access.redhat.com/errata/RHSA-2021:5106\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n4.6.52  https://access.redhat.com/errata/RHSA-2021:5186\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2021-12-16T00:00:00Z",
    "advisory" : "RHSA-2021:5186",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el8",
    "package" : "openshift4/ose-metering-hive:v4.6.0-202112160147.p0.gf139e12.assembly.stream"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.7",
    "release_date" : "2021-12-16T00:00:00Z",
    "advisory" : "RHSA-2021:5184",
    "cpe" : "cpe:/a:redhat:openshift:4.7::el8",
    "package" : "openshift4/ose-metering-hive:v4.7.0-202112160422.p0.g6a2b6aa.assembly.4.7.40"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.8",
    "release_date" : "2021-12-16T00:00:00Z",
    "advisory" : "RHSA-2021:5183",
    "cpe" : "cpe:/a:redhat:openshift:4.8::el8",
    "package" : "openshift4/ose-metering-hive:v4.8.0-202112160147.p0.g5672016.assembly.stream"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-4125\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-4125\nhttps://access.redhat.com/security/cve/CVE-2021-44228\nhttps://access.redhat.com/security/cve/CVE-2021-45046" ],
  "name" : "CVE-2021-4125",
  "mitigation" : {
    "value" : "Please follow the Mitigation advice for the original CVEs.",
    "lang" : "en:us"
  },
  "csaw" : false
}