jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7e5f30e3e3
cvrf2cusa/cvrf/2022/cvrf-openEuler-SA-2022-1957.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

170 lines
10 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for log4j is now available for openEuler-20.03-LTS-SP3</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2022-1957</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2022-09-23</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2022-09-23</InitialReleaseDate>
<CurrentReleaseDate>2022-09-23</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2022-09-23</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">log4j security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for log4j is now available for openEuler-20.03-LTS-SP3.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Log4j is a tool to help the programmer output log statements to a variety of output targets.
Security Fix(es):
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.(CVE-2021-45046)
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.(CVE-2021-45105)
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.(CVE-2021-44832)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for log4j is now available for openEuler-20.03-LTS-SP3.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">log4j</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1957</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-45046</URL>
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-45105</URL>
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44832</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-45046</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-45105</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-44832</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="noarch">
<FullProductName ProductID="log4j-web-2.17.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">log4j-web-2.17.0-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-slf4j-2.17.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">log4j-slf4j-2.17.0-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-bom-2.17.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">log4j-bom-2.17.0-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-help-2.17.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">log4j-help-2.17.0-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-2.17.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">log4j-2.17.0-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-taglib-2.17.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">log4j-taglib-2.17.0-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-jmx-gui-2.17.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">log4j-jmx-gui-2.17.0-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="log4j-jcl-2.17.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">log4j-jcl-2.17.0-3.oe1.noarch.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="log4j-2.17.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">log4j-2.17.0-3.oe1.src.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.</Note>
</Notes>
<ReleaseDate>2022-09-23</ReleaseDate>
<CVE>CVE-2021-45046</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Low</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>3.7</BaseScore>
<Vector>AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>log4j security update</Description>
<DATE>2022-09-23</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1957</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.</Note>
</Notes>
<ReleaseDate>2022-09-23</ReleaseDate>
<CVE>CVE-2021-45105</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>log4j security update</Description>
<DATE>2022-09-23</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1957</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="3" xml:lang="en">Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.</Note>
</Notes>
<ReleaseDate>2022-09-23</ReleaseDate>
<CVE>CVE-2021-44832</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>6.6</BaseScore>
<Vector>AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>log4j security update</Description>
<DATE>2022-09-23</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1957</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink