jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7d8412e76d
cvrf2cusa/cvrf/2022/cvrf-openEuler-SA-2022-1956.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

138 lines
7.6 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for log4j is now available for openEuler-20.03-LTS-SP1</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2022-1956</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2022-09-23</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2022-09-23</InitialReleaseDate>
<CurrentReleaseDate>2022-09-23</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2022-09-23</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">log4j security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for log4j is now available for openEuler-20.03-LTS-SP1.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Log4j is a tool to help the programmer output log statements to a variety of output targets.
Security Fix(es):
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.(CVE-2021-45105)
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.(CVE-2021-44832)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for log4j is now available for openEuler-20.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">log4j</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1956</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-45105</URL>
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44832</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-45105</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-44832</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="noarch">
<FullProductName ProductID="log4j-jmx-gui-2.17.0-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">log4j-jmx-gui-2.17.0-4.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-web-2.17.0-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">log4j-web-2.17.0-4.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-taglib-2.17.0-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">log4j-taglib-2.17.0-4.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-bom-2.17.0-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">log4j-bom-2.17.0-4.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-slf4j-2.17.0-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">log4j-slf4j-2.17.0-4.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-2.17.0-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">log4j-2.17.0-4.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-help-2.17.0-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">log4j-help-2.17.0-4.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-jcl-2.17.0-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">log4j-jcl-2.17.0-4.oe1.noarch.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="log4j-2.17.0-4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">log4j-2.17.0-4.oe1.src.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.</Note>
</Notes>
<ReleaseDate>2022-09-23</ReleaseDate>
<CVE>CVE-2021-45105</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>log4j security update</Description>
<DATE>2022-09-23</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1956</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.</Note>
</Notes>
<ReleaseDate>2022-09-23</ReleaseDate>
<CVE>CVE-2021-44832</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>6.6</BaseScore>
<Vector>AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>log4j security update</Description>
<DATE>2022-09-23</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1956</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink