Maven patch CVE-2021-Incremental Maven Repository for EAP 7.4

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 7.4

Issue

What is the patch CVE-2021-Incremental Maven Repository for EAP 7.4?

Resolution

No version of JBoss EAP 6.x/7.x is vulnerable to CVE-2021-44228 currently thanks to the usage of JBoss Logging framework instead of Log4J. Please refer to the security bulletin - RHSB-2021-009 for further information on this vulnerability and impacted Red Hat products.
See solution Is JBoss EAP 6.x/7.x impacted by CVE-2021-44228 or CVE-2021-4104? for more information.

However Red Hat's Maven repository does contain a version of log4j-core 2.x which is affected, this has been patched via This content is not included.log4j-core-2.14.0.redhat-00005.jar in the This content is not included.Red Hat Maven Repository as well it is available on the Customer Support Portal via This content is not included.CVE-2021-44228 Incremental Maven Repository.

What is Maven patch CVE-2021-Incremental Maven Repository?

It is a patched log4j jar into the maven repo as Cumulative Security Patch (CSP). This patch just overlays to the new versions.

What does Maven patch CVE-2021-Incremental Maven Repository contains?

It contains a jar, log4j-core-2.14.0.redhat-00005.jar and a pom: log4j-core-2.14.0.redhat-00005.pom. Se below:

$unzip jboss-eap-7.4.2-maven-repository-CVE-2021-44228.zip
$cd jboss-eap-7.4.2.GA-maven-repository/maven-repository
$ ls
org
$ tree
.
└── org
    └── apache
        └── logging
            └── log4j
                ├── log4j
                │   └── 2.14.0.redhat-00005
                │       ├── log4j-2.14.0.redhat-00005.pom <----------------------------- pom
                │       ├── log4j-2.14.0.redhat-00005.pom.md5
                │       └── log4j-2.14.0.redhat-00005.pom.sha1
                └── log4j-core
                    └── 2.14.0.redhat-00005
                        ├── log4j-core-2.14.0.redhat-00005.jar  <---------------------------- jar
                        ├── log4j-core-2.14.0.redhat-00005.jar.md5
                        ├── log4j-core-2.14.0.redhat-00005.jar.sha1
                        ├── log4j-core-2.14.0.redhat-00005.pom <-------------------------- pom
                        ├── log4j-core-2.14.0.redhat-00005.pom.md5
                        ├── log4j-core-2.14.0.redhat-00005.pom.sha1
                        ├── log4j-core-2.14.0.redhat-00005-sources.jar
                        ├── log4j-core-2.14.0.redhat-00005-sources.jar.md5
                        ├── log4j-core-2.14.0.redhat-00005-sources.jar.sha1
                        ├── log4j-core-2.14.0.redhat-00005-test-sources.jar
                        ├── log4j-core-2.14.0.redhat-00005-test-sources.jar.md5
                        └── log4j-core-2.14.0.redhat-00005-test-sources.jar.sha1

FAQ
Q1. Do I need to patch EAP 7.4 to solve CVE-2021-44228?
A1. No. EAP 7.4 (and the EAP 7.x) are not affected by it. But the maven repository uses it.
Q2. Is there a patch for CVE-2021-44228 since EAP 7 is not affected?
A2. EAP 7 does not use log4j-core at runtime and does not package log4j-core. There is a patch for EAP 7.4 maven repository: This content is not included.CVE-2021-44228 Incremental Maven Repository, which provides a fixed version of log4j-core for the EAP 7.4's maven repo. And also in the Red Hat Maven Repository via log4j-core-2.14.0.redhat-00005.jar

SBR

JBoss Base AS

Product(s)

Red Hat Mobile Application Platform

Components

jbossas

Category

Troubleshoot

Tags

eap
jboss

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.