{ "threat_severity" : "Moderate", "public_date" : "2021-12-14T00:00:00Z", "bugzilla" : { "description" : "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "id" : "2032580", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-917", "details" : [ "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.", "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments." ], "statement" : "Although we have matched Apache's CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \nPrerequisites to exploit this flaw are :\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "affected_release" : [ { "product_name" : "OpenShift Logging 5.0", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5137", "cpe" : "cpe:/a:redhat:logging:5.0::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v5.0.10-1" }, { "product_name" : "OpenShift Logging 5.1", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5128", "cpe" : "cpe:/a:redhat:logging:5.1::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-67" }, { "product_name" : "OpenShift Logging 5.2", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5127", "cpe" : "cpe:/a:redhat:logging:5.2::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-66" }, { "product_name" : "OpenShift Logging 5.3", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5129", "cpe" : "cpe:/a:redhat:logging:5.3::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-65" }, { "product_name" : "Red Hat AMQ Streams 2.0.0", "release_date" : "2022-01-13T00:00:00Z", "advisory" : "RHSA-2022:0138", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Red Hat Data Grid 8.2.3", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0205", "cpe" : "cpe:/a:redhat:jboss_data_grid:8.2", "package" : "log4j-core" }, { "product_name" : "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0203", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "log4j-core" }, { "product_name" : "Red Hat Integration Camel Extensions for Quarkus 2.2", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0222", "cpe" : "cpe:/a:redhat:camel_quarkus:2.2" }, { "product_name" : "Red Hat Integration Camel-K 1.6.3", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0223", "cpe" : "cpe:/a:redhat:integration:1", "package" : "log4j-core" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0216", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "log4j-core", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2022-04-11T00:00:00Z", "advisory" : "RHSA-2022:1299", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "log4j-core", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2022-04-11T00:00:00Z", "advisory" : "RHSA-2022:1297", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2022-04-11T00:00:00Z", "advisory" : "RHSA-2022:1296", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5094", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "openshift3/ose-logging-elasticsearch5:v3.11.570-2.gd119820" }, { "product_name" : "Red Hat OpenShift Container Platform 4.6", "release_date" : "2021-12-16T00:00:00Z", "advisory" : "RHSA-2021:5106", "cpe" : "cpe:/a:redhat:openshift:4.6::el8", "package" : "openshift4/ose-logging-elasticsearch6:v4.6.0-202112132021.p0.g2a13a81.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.6", "release_date" : "2021-12-16T00:00:00Z", "advisory" : "RHSA-2021:5106", "cpe" : "cpe:/a:redhat:openshift:4.6::el8", "package" : "openshift4/ose-metering-hive:v4.6.0-202112140546.p0.g8b9da97.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.6", "release_date" : "2021-12-16T00:00:00Z", "advisory" : "RHSA-2021:5141", "cpe" : "cpe:/a:redhat:openshift:4.6::el8", "package" : "openshift4/ose-metering-presto:v4.6.0-202112150545.p0.g190688a.assembly.art3595" }, { "product_name" : "Red Hat OpenShift Container Platform 4.7", "release_date" : "2021-12-16T00:00:00Z", "advisory" : "RHSA-2021:5107", "cpe" : "cpe:/a:redhat:openshift:4.7::el8", "package" : "openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.7", "release_date" : "2021-12-16T00:00:00Z", "advisory" : "RHSA-2021:5107", "cpe" : "cpe:/a:redhat:openshift:4.7::el8", "package" : "openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5108", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-metering-hive:v4.8.0-202112132154.p0.g57dd03a.assembly.stream" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5148", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" }, { "product_name" : "Vert.x 4.1.8", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0083", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "log4j-core" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "parfait:0.5/log4j12", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Not affected", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "log4j-over-slf4j", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-java-common-log4j", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-maven35-log4j12", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-maven36-log4j12", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-45046\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-45046\nhttps://access.redhat.com/security/cve/CVE-2021-44228\nhttps://logging.apache.org/log4j/2.x/security.html\nhttps://www.openwall.com/lists/oss-security/2021/12/14/4\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ], "name" : "CVE-2021-45046", "mitigation" : { "value" : "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "lang" : "en:us" }, "csaw" : false }