It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Weakness
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Log4j | Apache | 2.0.1 (including) | 2.12.2 (excluding) |
| Log4j | Apache | 2.13.0 (including) | 2.16.0 (excluding) |
| Log4j | Apache | 2.0 (including) | 2.0 (including) |
| Log4j | Apache | 2.0-beta9 (including) | 2.0-beta9 (including) |
| Log4j | Apache | 2.0-rc1 (including) | 2.0-rc1 (including) |
| Log4j | Apache | 2.0-rc2 (including) | 2.0-rc2 (including) |
| OpenShift Logging 5.0 | RedHat | openshift-logging/elasticsearch6-rhel8:v5.0.10-1 | * |
| OpenShift Logging 5.1 | RedHat | openshift-logging/elasticsearch6-rhel8:v6.8.1-67 | * |
| OpenShift Logging 5.2 | RedHat | openshift-logging/elasticsearch6-rhel8:v6.8.1-66 | * |
| OpenShift Logging 5.3 | RedHat | openshift-logging/elasticsearch6-rhel8:v6.8.1-65 | * |
| Red Hat AMQ Streams 2.0.0 | RedHat | * | |
| Red Hat Data Grid 8.2.3 | RedHat | log4j-core | * |
| Red Hat Fuse 7.8.2, 7.9.1, 7.10.1 | RedHat | log4j-core | * |
| Red Hat Integration Camel Extensions for Quarkus 2.2 | RedHat | * | |
| Red Hat Integration Camel-K 1.6.3 | RedHat | log4j-core | * |
| Red Hat JBoss Enterprise Application Platform 7 | RedHat | log4j-core | * |
| Red Hat JBoss Enterprise Application Platform 7 | RedHat | log4j-core | * |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | RedHat | eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7 | * |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | RedHat | eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7 | * |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | RedHat | eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7 | * |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | RedHat | eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7 | * |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | RedHat | eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7 | * |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | RedHat | eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7 | * |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | RedHat | eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7 | * |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | RedHat | eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7 | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | RedHat | eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | RedHat | eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap | * |
| Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | RedHat | eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap | * |
| Red Hat OpenShift Container Platform 3.11 | RedHat | openshift3/ose-logging-elasticsearch5:v3.11.570-2.gd119820 | * |
| Red Hat OpenShift Container Platform 4.6 | RedHat | openshift4/ose-logging-elasticsearch6:v4.6.0-202112132021.p0.g2a13a81.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.6 | RedHat | openshift4/ose-metering-hive:v4.6.0-202112140546.p0.g8b9da97.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.6 | RedHat | openshift4/ose-metering-presto:v4.6.0-202112150545.p0.g190688a.assembly.art3595 | * |
| Red Hat OpenShift Container Platform 4.7 | RedHat | openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.7 | RedHat | openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40 | * |
| Red Hat OpenShift Container Platform 4.8 | RedHat | openshift4/ose-metering-hive:v4.8.0-202112132154.p0.g57dd03a.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.8 | RedHat | openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599 | * |
| Vert.x 4.1.8 | RedHat | log4j-core | * |
| Apache-log4j2 | Ubuntu | esm-apps/focal | * |
| Apache-log4j2 | Ubuntu | focal | * |
| Apache-log4j2 | Ubuntu | hirsute | * |
| Apache-log4j2 | Ubuntu | impish | * |
| Apache-log4j2 | Ubuntu | trusty | * |
| Apache-log4j2 | Ubuntu | upstream | * |
| Apache-log4j2 | Ubuntu | xenial | * |
Potential Mitigations
- If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:
References
- http://www.openwall.com/lists/oss-security/2021/12/14/4
- http://www.openwall.com/lists/oss-security/2021/12/15/3
- http://www.openwall.com/lists/oss-security/2021/12/18/1
- https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/
- https://logging.apache.org/log4j/2.x/security.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- https://security.gentoo.org/glsa/202310-16
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- https://www.cve.org/CVERecord?id=CVE-2021-44228
- https://www.debian.org/security/2021/dsa-5022
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
- https://www.kb.cert.org/vuls/id/930724
- https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://www.openwall.com/lists/oss-security/2021/12/14/4
- http://www.openwall.com/lists/oss-security/2021/12/15/3
- http://www.openwall.com/lists/oss-security/2021/12/18/1
- https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/
- https://logging.apache.org/log4j/2.x/security.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- https://security.gentoo.org/glsa/202310-16
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- https://www.cve.org/CVERecord?id=CVE-2021-44228
- https://www.debian.org/security/2021/dsa-5022
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
- https://www.kb.cert.org/vuls/id/930724
- https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-45046