{ "threat_severity" : "Moderate", "public_date" : "2021-12-18T00:00:00Z", "bugzilla" : { "description" : "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "id" : "2034067", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-835", "details" : [ "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.", "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service." ], "statement" : "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker's control:\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "affected_release" : [ { "product_name" : "OpenShift Logging 5.0", "release_date" : "2022-01-10T00:00:00Z", "advisory" : "RHSA-2022:0047", "cpe" : "cpe:/a:redhat:logging:5.0::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v5.0.11-2", "impact" : "low" }, { "product_name" : "OpenShift Logging 5.1", "release_date" : "2022-01-10T00:00:00Z", "advisory" : "RHSA-2022:0042", "cpe" : "cpe:/a:redhat:logging:5.1::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-82", "impact" : "low" }, { "product_name" : "OpenShift Logging 5.2", "release_date" : "2022-01-10T00:00:00Z", "advisory" : "RHSA-2022:0043", "cpe" : "cpe:/a:redhat:logging:5.2::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-83", "impact" : "low" }, { "product_name" : "OpenShift Logging 5.3", "release_date" : "2022-01-10T00:00:00Z", "advisory" : "RHSA-2022:0044", "cpe" : "cpe:/a:redhat:logging:5.3::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-84", "impact" : "low" }, { "product_name" : "Red Hat AMQ Streams 1.6.6", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0219", "cpe" : "cpe:/a:redhat:amq_streams:1" }, { "product_name" : "Red Hat Data Grid 8.2.3", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0205", "cpe" : "cpe:/a:redhat:jboss_data_grid:8.2", "package" : "log4j-core" }, { "product_name" : "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0203", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "log4j-core" }, { "product_name" : "Red Hat Integration Camel Extensions for Quarkus 2.2", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0222", "cpe" : "cpe:/a:redhat:camel_quarkus:2.2" }, { "product_name" : "Red Hat Integration Camel-K 1.6.3", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0223", "cpe" : "cpe:/a:redhat:integration:1", "package" : "log4j-core" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0216", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "log4j-core", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2022-04-11T00:00:00Z", "advisory" : "RHSA-2022:1299", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "log4j-core", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2022-04-11T00:00:00Z", "advisory" : "RHSA-2022:1297", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2022-04-11T00:00:00Z", "advisory" : "RHSA-2022:1296", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4.6", "release_date" : "2022-01-12T00:00:00Z", "advisory" : "RHSA-2022:0026", "cpe" : "cpe:/a:redhat:openshift:4.6::el8", "package" : "openshift4/ose-logging-elasticsearch6:v4.6.0-202112201736.p0.gce7f68c.assembly.stream", "impact" : "low" }, { "product_name" : "Red Hat Single Sign-On 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1469", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7", "package" : "log4j-api", "impact" : "low" }, { "product_name" : "Red Hat Single Sign-On 7.5 for RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1462", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7", "package" : "rh-sso7-keycloak-0:15.0.6-1.redhat_00001.1.el7sso", "impact" : "low" }, { "product_name" : "Red Hat Single Sign-On 7.5 for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1463", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8", "package" : "rh-sso7-keycloak-0:15.0.6-1.redhat_00001.1.el8sso", "impact" : "low" }, { "product_name" : "Vert.x 4.1.8", "release_date" : "2022-01-20T00:00:00Z", "advisory" : "RHSA-2022:0083", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "log4j-core" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Affected", "package_name" : "log4j-api", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "impact" : "low" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "parfait:0.5/log4j12", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "log4j", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Affected", "package_name" : "openshift3/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-presto", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "log4j-over-slf4j", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-java-common-log4j", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-maven35-log4j12", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-maven36-log4j12", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Affected", "package_name" : "log4j-core", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-45105\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-45105\nhttps://issues.apache.org/jira/browse/LOG4J2-3230\nhttps://logging.apache.org/log4j/2.x/security.html\nhttps://www.openwall.com/lists/oss-security/2021/12/19/1" ], "name" : "CVE-2021-45105", "mitigation" : { "value" : "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "lang" : "en:us" }, "csaw" : false }