An update for log4j is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1481 Final 1.0 1.0 2021-12-31 Initial 2021-12-31 2021-12-31 openEuler SA Tool V1.0 2021-12-31 log4j security update An update for log4j is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es): Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.(CVE-2021-44832) An update for log4j is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium log4j,mybatis,netty,springframework,wildfly-security-manager,wildfly-elytron,wildfly-build-tools,wildfly-common,wildfly-core,thrift,json-lib,datanucleus-core,jgroups,mx4j,jboss-logging,infinispan,datanucleus-rdbms,avalon-logkit,datanucleus-api-jdo,avalon-framework,HikariCP,metrics https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1481 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44832 https://nvd.nist.gov/vuln/detail/CVE-2021-44832 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 log4j-help-2.17.0-3.oe1.noarch.rpm log4j-taglib-2.17.0-3.oe1.noarch.rpm log4j-slf4j-2.17.0-3.oe1.noarch.rpm log4j-web-2.17.0-3.oe1.noarch.rpm log4j-jmx-gui-2.17.0-3.oe1.noarch.rpm log4j-jcl-2.17.0-3.oe1.noarch.rpm log4j-2.17.0-3.oe1.noarch.rpm log4j-bom-2.17.0-3.oe1.noarch.rpm mybatis-3.2.8-4.oe1.noarch.rpm mybatis-javadoc-3.2.8-4.oe1.noarch.rpm netty-4.1.13-16.oe1.noarch.rpm netty-help-4.1.13-16.oe1.noarch.rpm springframework-3.2.18-11.oe1.noarch.rpm springframework-aop-3.2.18-11.oe1.noarch.rpm springframework-beans-3.2.18-11.oe1.noarch.rpm springframework-context-3.2.18-11.oe1.noarch.rpm springframework-expression-3.2.18-11.oe1.noarch.rpm springframework-help-3.2.18-11.oe1.noarch.rpm springframework-instrument-3.2.18-11.oe1.noarch.rpm springframework-jdbc-3.2.18-11.oe1.noarch.rpm springframework-jms-3.2.18-11.oe1.noarch.rpm springframework-orm-3.2.18-11.oe1.noarch.rpm springframework-orm-hibernate4-3.2.18-11.oe1.noarch.rpm springframework-oxm-3.2.18-11.oe1.noarch.rpm springframework-tx-3.2.18-11.oe1.noarch.rpm springframework-web-3.2.18-11.oe1.noarch.rpm wildfly-security-manager-1.1.2-3.oe1.noarch.rpm wildfly-security-manager-javadoc-1.1.2-3.oe1.noarch.rpm wildfly-elytron-1.0.2-3.oe1.noarch.rpm wildfly-elytron-javadoc-1.0.2-3.oe1.noarch.rpm wildfly-build-tools-1.1.6-3.oe1.noarch.rpm wildfly-build-tools-javadoc-1.1.6-3.oe1.noarch.rpm wildfly-feature-pack-build-maven-plugin-1.1.6-3.oe1.noarch.rpm wildfly-server-provisioning-1.1.6-3.oe1.noarch.rpm wildfly-server-provisioning-maven-plugin-1.1.6-3.oe1.noarch.rpm wildfly-server-provisioning-standalone-1.1.6-3.oe1.noarch.rpm wildfly-common-1.1.0-9.oe1.noarch.rpm wildfly-common-help-1.1.0-9.oe1.noarch.rpm wildfly-core-2.2.0-4.oe1.noarch.rpm wildfly-core-feature-pack-2.2.0-4.oe1.noarch.rpm wildfly-core-javadoc-2.2.0-4.oe1.noarch.rpm libthrift-java-0.14.0-6.oe1.noarch.rpm perl-thrift-0.14.0-6.oe1.noarch.rpm python3-thrift-0.14.0-6.oe1.noarch.rpm thrift-0.14.0-6.oe1.noarch.rpm thrift-debugsource-0.14.0-6.oe1.noarch.rpm thrift-devel-0.14.0-6.oe1.noarch.rpm thrift-glib-0.14.0-6.oe1.noarch.rpm thrift-qt-0.14.0-6.oe1.noarch.rpm jenkins-json-lib-2.4-20.oe1.noarch.rpm json-lib-2.4-20.oe1.noarch.rpm json-lib-help-2.4-20.oe1.noarch.rpm datanucleus-api-jdo-3.2.15-4.oe1.noarch.rpm datanucleus-core-javadoc-3.2.15-4.oe1.noarch.rpm jgroups-3.6.10-9.oe1.noarch.rpm jgroups-help-3.6.10-9.oe1.noarch.rpm mx4j-3.0.1-4.oe1.noarch.rpm mx4j-javadoc-3.0.1-4.oe1.noarch.rpm mx4j-manual-3.0.1-4.oe1.noarch.rpm jboss-logging-3.3.0-8.oe1.noarch.rpm jboss-logging-javadoc-3.3.0-8.oe1.noarch.rpm infinispan-8.2.4-11.oe1.noarch.rpm infinispan-help-8.2.4-11.oe1.noarch.rpm datanucleus-rdbms-3.2.13-4.oe1.noarch.rpm datanucleus-rdbms-javadoc-3.2.13-4.oe1.noarch.rpm avalon-logkit-2.1-35.oe1.noarch.rpm avalon-logkit-help-2.1-35.oe1.noarch.rpm datanucleus-api-jdo-3.2.8-4.oe1.noarch.rpm datanucleus-api-jdo-javadoc-3.2.8-4.oe1.noarch.rpm HikariCP-2.4.3-7.oe1.noarch.rpm HikariCP-help-2.4.3-7.oe1.noarch.rpm metrics-3.1.2-4.oe1.noarch.rpm metrics-annotation-3.1.2-4.oe1.noarch.rpm metrics-benchmarks-3.1.2-4.oe1.noarch.rpm metrics-doc-3.1.2-4.oe1.noarch.rpm metrics-ehcache-3.1.2-4.oe1.noarch.rpm metrics-ganglia-3.1.2-4.oe1.noarch.rpm metrics-graphite-3.1.2-4.oe1.noarch.rpm metrics-healthchecks-3.1.2-4.oe1.noarch.rpm metrics-httpasyncclient-3.1.2-4.oe1.noarch.rpm metrics-httpclient-3.1.2-4.oe1.noarch.rpm metrics-javadoc-3.1.2-4.oe1.noarch.rpm metrics-jdbi-3.1.2-4.oe1.noarch.rpm metrics-jersey2-3.1.2-4.oe1.noarch.rpm metrics-json-3.1.2-4.oe1.noarch.rpm metrics-jvm-3.1.2-4.oe1.noarch.rpm metrics-log4j-3.1.2-4.oe1.noarch.rpm metrics-log4j2-3.1.2-4.oe1.noarch.rpm metrics-logback-3.1.2-4.oe1.noarch.rpm metrics-parent-3.1.2-4.oe1.noarch.rpm metrics-servlet-3.1.2-4.oe1.noarch.rpm metrics-servlets-3.1.2-4.oe1.noarch.rpm avalon-framework-4.3-24.oe1.noarch.rpm avalon-framework-help-4.3-24.oe1.noarch.rpm log4j-help-2.17.0-3.oe1.noarch.rpm log4j-taglib-2.17.0-3.oe1.noarch.rpm log4j-slf4j-2.17.0-3.oe1.noarch.rpm log4j-web-2.17.0-3.oe1.noarch.rpm log4j-jmx-gui-2.17.0-3.oe1.noarch.rpm log4j-jcl-2.17.0-3.oe1.noarch.rpm log4j-2.17.0-3.oe1.noarch.rpm log4j-bom-2.17.0-3.oe1.noarch.rpm mybatis-3.2.8-4.oe1.noarch.rpm mybatis-javadoc-3.2.8-4.oe1.noarch.rpm netty-4.1.13-16.oe1.noarch.rpm netty-help-4.1.13-16.oe1.noarch.rpm springframework-3.2.18-11.oe1.noarch.rpm springframework-aop-3.2.18-11.oe1.noarch.rpm springframework-beans-3.2.18-11.oe1.noarch.rpm springframework-context-3.2.18-11.oe1.noarch.rpm springframework-expression-3.2.18-11.oe1.noarch.rpm springframework-help-3.2.18-11.oe1.noarch.rpm springframework-instrument-3.2.18-11.oe1.noarch.rpm springframework-jdbc-3.2.18-11.oe1.noarch.rpm springframework-jms-3.2.18-11.oe1.noarch.rpm springframework-orm-3.2.18-11.oe1.noarch.rpm springframework-orm-hibernate4-3.2.18-11.oe1.noarch.rpm springframework-oxm-3.2.18-11.oe1.noarch.rpm springframework-tx-3.2.18-11.oe1.noarch.rpm springframework-web-3.2.18-11.oe1.noarch.rpm wildfly-security-manager-1.1.2-3.oe1.noarch.rpm wildfly-security-manager-javadoc-1.1.2-3.oe1.noarch.rpm wildfly-elytron-1.0.2-3.oe1.noarch.rpm wildfly-elytron-javadoc-1.0.2-3.oe1.noarch.rpm wildfly-build-tools-1.1.6-3.oe1.noarch.rpm wildfly-build-tools-javadoc-1.1.6-3.oe1.noarch.rpm wildfly-feature-pack-build-maven-plugin-1.1.6-3.oe1.noarch.rpm wildfly-server-provisioning-1.1.6-3.oe1.noarch.rpm wildfly-server-provisioning-maven-plugin-1.1.6-3.oe1.noarch.rpm wildfly-server-provisioning-standalone-1.1.6-3.oe1.noarch.rpm wildfly-common-1.1.0-9.oe1.noarch.rpm wildfly-common-help-1.1.0-9.oe1.noarch.rpm wildfly-core-2.2.0-4.oe1.noarch.rpm wildfly-core-feature-pack-2.2.0-4.oe1.noarch.rpm wildfly-core-javadoc-2.2.0-4.oe1.noarch.rpm libthrift-java-0.14.0-6.oe1.noarch.rpm perl-thrift-0.14.0-6.oe1.noarch.rpm python3-thrift-0.14.0-6.oe1.noarch.rpm thrift-0.14.0-6.oe1.noarch.rpm thrift-debugsource-0.14.0-6.oe1.noarch.rpm thrift-devel-0.14.0-6.oe1.noarch.rpm thrift-glib-0.14.0-6.oe1.noarch.rpm thrift-qt-0.14.0-6.oe1.noarch.rpm jenkins-json-lib-2.4-20.oe1.noarch.rpm json-lib-2.4-20.oe1.noarch.rpm json-lib-help-2.4-20.oe1.noarch.rpm datanucleus-api-jdo-3.2.15-4.oe1.noarch.rpm datanucleus-core-javadoc-3.2.15-4.oe1.noarch.rpm jgroups-3.6.10-9.oe1.noarch.rpm jgroups-help-3.6.10-9.oe1.noarch.rpm mx4j-3.0.1-4.oe1.noarch.rpm mx4j-javadoc-3.0.1-4.oe1.noarch.rpm mx4j-manual-3.0.1-4.oe1.noarch.rpm jboss-logging-3.3.0-8.oe1.noarch.rpm jboss-logging-javadoc-3.3.0-8.oe1.noarch.rpm infinispan-8.2.4-11.oe1.noarch.rpm infinispan-help-8.2.4-11.oe1.noarch.rpm datanucleus-rdbms-3.2.13-4.oe1.noarch.rpm datanucleus-rdbms-javadoc-3.2.13-4.oe1.noarch.rpm avalon-logkit-2.1-35.oe1.noarch.rpm avalon-logkit-help-2.1-35.oe1.noarch.rpm datanucleus-api-jdo-3.2.8-4.oe1.noarch.rpm datanucleus-api-jdo-javadoc-3.2.8-4.oe1.noarch.rpm HikariCP-2.4.3-7.oe1.noarch.rpm HikariCP-help-2.4.3-7.oe1.noarch.rpm metrics-3.1.2-4.oe1.noarch.rpm metrics-annotation-3.1.2-4.oe1.noarch.rpm metrics-benchmarks-3.1.2-4.oe1.noarch.rpm metrics-doc-3.1.2-4.oe1.noarch.rpm metrics-ehcache-3.1.2-4.oe1.noarch.rpm metrics-ganglia-3.1.2-4.oe1.noarch.rpm metrics-graphite-3.1.2-4.oe1.noarch.rpm metrics-healthchecks-3.1.2-4.oe1.noarch.rpm metrics-httpasyncclient-3.1.2-4.oe1.noarch.rpm metrics-httpclient-3.1.2-4.oe1.noarch.rpm metrics-javadoc-3.1.2-4.oe1.noarch.rpm metrics-jdbi-3.1.2-4.oe1.noarch.rpm metrics-jersey2-3.1.2-4.oe1.noarch.rpm metrics-json-3.1.2-4.oe1.noarch.rpm metrics-jvm-3.1.2-4.oe1.noarch.rpm metrics-log4j-3.1.2-4.oe1.noarch.rpm metrics-log4j2-3.1.2-4.oe1.noarch.rpm metrics-logback-3.1.2-4.oe1.noarch.rpm metrics-parent-3.1.2-4.oe1.noarch.rpm metrics-servlet-3.1.2-4.oe1.noarch.rpm metrics-servlets-3.1.2-4.oe1.noarch.rpm avalon-framework-4.3-24.oe1.noarch.rpm avalon-framework-help-4.3-24.oe1.noarch.rpm log4j-2.17.0-3.oe1.src.rpm mybatis-3.2.8-4.oe1.src.rpm springframework-3.2.18-11.oe1.src.rpm netty-4.1.13-16.oe1.src.rpm wildfly-security-manager-1.1.2-3.oe1.src.rpm wildfly-elytron-1.0.2-3.oe1.src.rpm wildfly-build-tools-1.1.6-3.oe1.src.rpm wildfly-common-1.1.0-9.oe1.src.rpm wildfly-core-2.2.0-4.oe1.src.rpm thrift-0.14.0-6.oe1.src.rpm json-lib-2.4-20.oe1.src.rpm datanucleus-core-3.2.15-4.oe1.src.rpm jgroups-3.6.10-9.oe1.src.rpm mx4j-3.0.1-4.oe1.src.rpm jboss-logging-3.3.0-8.src.rpm infinispan-8.2.4-11.oe1.src.rpm datanucleus-rdbms-3.2.13-4.oe1.src.rpm avalon-logkit-2.1-35.oe1.src.rpm datanucleus-api-jdo-3.2.8-4.oe1.src.rpm HikariCP-2.4.3-7.oe1.src.rpm metrics-3.1.2-4.oe1.src.rpm avalon-framework-4.3-25.oe1.src.rpm log4j-2.17.0-3.oe1.src.rpm mybatis-3.2.8-4.oe1.src.rpm springframework-3.2.18-11.oe1.src.rpm netty-4.1.13-16.oe1.src.rpm wildfly-security-manager-1.1.2-3.oe1.src.rpm wildfly-elytron-1.0.2-3.oe1.src.rpm wildfly-build-tools-1.1.6-3.oe1.src.rpm wildfly-common-1.1.0-9.oe1.src.rpm wildfly-core-2.2.0-4.oe1.src.rpm thrift-0.14.0-6.oe1.src.rpm json-lib-2.4-20.oe1.src.rpm datanucleus-core-3.2.15-4.oe1.src.rpm jgroups-3.6.10-9.oe1.src.rpm mx4j-3.0.1-4.oe1.src.rpm jboss-logging-3.3.0-8.src.rpm infinispan-8.2.4-11.oe1.src.rpm datanucleus-rdbms-3.2.13-4.oe1.src.rpm avalon-logkit-2.1-35.oe1.src.rpm datanucleus-api-jdo-3.2.8-4.oe1.src.rpm HikariCP-2.4.3-7.oe1.src.rpm metrics-3.1.2-4.oe1.src.rpm avalon-framework-4.3-25.oe1.src.rpm Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. 2021-12-31 CVE-2021-44832 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 High 6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H log4j security update 2021-12-31 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1481