Action not permitted
Modal body text goes here.
CVE-2021-45046
Vulnerability from cvelistv5
▼ | Vendor | Product |
---|---|---|
Apache Software Foundation | Apache Log4j |
CISA Known exploited vulnerability
Data from the Known Exploited Vulnerabilities Catalog
Date added: 2023-05-01
Due date: 2023-05-22
Required action: Apply updates per vendor instructions.
Used in ransomware: Known
Notes: https://logging.apache.org/log4j/2.x/security.html; https://nvd.nist.gov/vuln/detail/CVE-2021-45046
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T04:32:13.624Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "name": "VU#930724", "tags": [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred" ], "url": "https://www.kb.cert.org/vuls/id/930724" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "tags": [ "vendor-advisory", "x_refsource_CISCO", "x_transferred" ], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "name": "DSA-5022", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-5022" }, { "name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "name": "FEDORA-2021-5c9d12a93e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/" }, { "name": "FEDORA-2021-abbe24e41c", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_transferred" ], "url": "https://security.gentoo.org/glsa/202310-16" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Log4j", "vendor": "Apache Software Foundation", "versions": [ { "lessThan": "2.16.0", "status": "affected", "version": "Apache Log4j2", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default." } ], "metrics": [ { "other": { "content": { "other": "moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-917", "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-06-27T13:04:30.812Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "name": "VU#930724", "tags": [ "third-party-advisory", "x_refsource_CERT-VN" ], "url": "https://www.kb.cert.org/vuls/id/930724" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "tags": [ "vendor-advisory", "x_refsource_CISCO" ], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "name": "DSA-5022", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-5022" }, { "name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "name": "FEDORA-2021-5c9d12a93e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/" }, { "name": "FEDORA-2021-abbe24e41c", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "url": "https://security.gentoo.org/glsa/202310-16" } ], "source": { "discovery": "UNKNOWN" }, "title": "Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-45046", "STATE": "PUBLIC", "TITLE": "Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Log4j", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "Apache Log4j2", "version_value": "2.16.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ { "other": "moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)" } ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", "refsource": "CONFIRM", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032" }, { "name": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "refsource": "CONFIRM", "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "name": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "refsource": "MISC", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "name": "https://logging.apache.org/log4j/2.x/security.html", "refsource": "CONFIRM", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "name": "VU#930724", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/930724" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "refsource": "CONFIRM", "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "name": "DSA-5022", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-5022" }, { "name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "name": "FEDORA-2021-5c9d12a93e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/" }, { "name": "FEDORA-2021-abbe24e41c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ] }, "source": { "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-45046", "datePublished": "2021-12-14T16:55:09", "dateReserved": "2021-12-14T00:00:00", "dateUpdated": "2024-08-04T04:32:13.624Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "cisa_known_exploited": { "cveID": "CVE-2021-45046", "cwes": "[\"CWE-917\"]", "dateAdded": "2023-05-01", "dueDate": "2023-05-22", "knownRansomwareCampaignUse": "Known", "notes": "https://logging.apache.org/log4j/2.x/security.html; https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "product": "Log4j2", "requiredAction": "Apply updates per vendor instructions.", "shortDescription": "Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.", "vendorProject": "Apache", "vulnerabilityName": "Apache Log4j2 Deserialization of Untrusted Data Vulnerability" }, "nvd": "{\"cve\":{\"id\":\"CVE-2021-45046\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2021-12-14T19:15:07.733\",\"lastModified\":\"2024-10-31T12:17:17.820\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"cisaExploitAdd\":\"2023-05-01\",\"cisaActionDue\":\"2023-05-22\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Apache Log4j2 Deserialization of Untrusted Data Vulnerability\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 que la correcci\u00f3n para abordar CVE-2021-44228 en Apache Log4j versiones 2.15.0 estaba incompleta en ciertas configuraciones no predeterminadas. Esto podr\u00eda permitir a los atacantes con control sobre los datos de entrada de Thread Context Map (MDC) cuando la configuraci\u00f3n de registro utiliza un Pattern Layout no predeterminado con un Context Lookup (por ejemplo, $${ctx:loginId}) o un Thread Context Map pattern (%X, %mdc, o %MDC) para elaborar datos de entrada maliciosos utilizando un patr\u00f3n JNDI Lookup que resulta en una fuga de informaci\u00f3n y ejecuci\u00f3n de c\u00f3digo remoto en algunos entornos y ejecuci\u00f3n de c\u00f3digo local en todos los entornos. Log4j versiones 2.16.0 (Java 8) y 2.12.2 (Java 7) solucionan este problema eliminando el soporte para los patrones de b\u00fasqueda de mensajes y deshabilitando la funcionalidad JNDI por defecto\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":2.2,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":5.1},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-917\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-917\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.1\",\"versionEndExcluding\":\"2.12.2\",\"matchCriteriaId\":\"155A3CFA-903D-4DC9-9A64-C964FAABACC4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.13.0\",\"versionEndExcluding\":\"2.16.0\",\"matchCriteriaId\":\"88DD4847-0961-4CC4-90FC-DFCDC235F62F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"17854E42-7063-4A55-BF2A-4C7074CC2D60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*\",\"matchCriteriaId\":\"53F32FB2-6970-4975-8BD0-EAE12E9AD03A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B773ED91-1D39-42E6-9C52-D02210DE1A94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF24312D-1A62-482E-8078-7EC24758B710\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cvat:computer_vision_annotation_tool:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99BBE644-5421-472E-8595-5279E0CC67B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"099344DD-8AEE-49A0-88A8-691A8A1E651F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intel:datacenter_manager:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"070C1452-C349-4953-A748-3039F2217811\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"18989EBC-E1FB-473B-83E0-48C8896C2E96\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intel:oneapi:-:*:*:*:*:eclipse:*:*\",\"matchCriteriaId\":\"720D3597-B74B-4540-AD50-80884183D5DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"22BEE177-D117-478C-8EAD-9606DEDF9FD5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F021E2E7-0D8F-4336-82A6-77E521347C4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intel:system_debugger:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F66B0A2-22C0-41D5-B866-1764DEC12CB2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intel:system_studio:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC619106-991C-413A-809D-C2410EBA4CDB\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E8320869-CBF4-4C92-885C-560C09855BFA\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:sppa-t3000_ses3000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"755BA221-33DD-40A2-A517-8574D042C261\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:captial:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2019.1\",\"matchCriteriaId\":\"07856DAA-EDB4-4522-BA16-CD302C9E39EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:captial:2019.1:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7AD819D-D093-472E-AA47-1A925111E4C8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:captial:2019.1:sp1912:*:*:*:*:*:*\",\"matchCriteriaId\":\"2D07A11A-A3C6-4D44-B2E0-A8358D23947A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61597661-A3B0-4A14-AA6B-C911E0063390\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB524B33-68E7-46A2-B5CE-BCD9C3194B8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F852C6D-44A0-4CCE-83C7-4501CAD73F9F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AA61161C-C2E7-4852-963E-E2D3DFBFDC7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A76AA04A-BB43-4027-895E-D1EACFCDF41B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2A6B60F3-327B-49B7-B5E4-F1C60896C9BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:desigo_cc_info_center:5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4BCF281E-B0A2-49E2-AEF8-8691BDCE08D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:desigo_cc_info_center:5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A87EFCC4-4BC1-4FEA-BAA4-8FF221838EBD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:e-car_operation_center:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2021-12-13\",\"matchCriteriaId\":\"B678380B-E95E-4A8B-A49D-D13B62AA454E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:energy_engage:3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4557476B-0157-44C2-BB50-299E7C7E1E72\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:energyip:8.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"991B2959-5AA3-4B68-A05A-42D9860FAA9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:energyip:8.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7E5948A0-CA31-41DF-85B6-1E6D09E5720B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:energyip:8.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C08D302-EEAC-45AA-9943-3A5F09E29FAB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:energyip:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D53BA68C-B653-4507-9A2F-177CF456960F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:energyip_prepay:3.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F0C3D5E-579F-42C6-9D8C-37969A1D17D2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:energyip_prepay:3.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2C16C460-9482-4A22-92AC-1AE0E87D7F28\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:gma-manager:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.6.2j-398\",\"matchCriteriaId\":\"0E180527-5C36-4158-B017-5BEDC0412FD6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:head-end_system_universal_device_integration_system:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AFDADA98-1CD0-45DA-9082-BFC383F7DB97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:industrial_edge_management:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E33D707F-100E-4DE7-A05B-42467DE75EAC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:industrial_edge_management_hub:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2021-12-13\",\"matchCriteriaId\":\"DD3EAC80-44BE-41D2-8D57-0EE3DBA1E1B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:logo\\\\!_soft_comfort:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AC8AB52-F4F4-440D-84F5-2776BFE1957A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6AF6D774-AC8C-49CA-A00B-A2740CA8FA91\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:mindsphere:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2021-12-11\",\"matchCriteriaId\":\"6423B1A7-F09F-421A-A0AC-3059CB89B110\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:navigator:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2021-12-13\",\"matchCriteriaId\":\"48C6A61B-2198-4B9E-8BCF-824643C81EC3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:nx:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BEE2F7A1-8281-48F1-8BFB-4FE0D7E1AEF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:opcenter_intelligence:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.2\",\"matchCriteriaId\":\"C74B9880-FFF9-48CA-974F-54FB80F30D2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.1.3\",\"matchCriteriaId\":\"74D1F4AD-9A60-4432-864F-4505B3C60659\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:sentron_powermanager:4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7ABA5332-8D1E-4129-A557-FCECBAC12827\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:sentron_powermanager:4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C3AA865-5570-4C8B-99DE-431AD7B163F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:siguard_dsa:4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"00E03FB6-37F9-4559-8C86-F203D6782920\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:siguard_dsa:4.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"90439591-BA01-4007-A2B6-B316548D4595\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:siguard_dsa:4.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E1F3B8B4-4D1B-4913-BD5F-1A04B47F829A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"83E77D85-0AE8-41D6-AC0C-983A8B73C831\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"02B28A44-3708-480D-9D6D-DDF8C21A15EC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:siveillance_command:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.16.2.1\",\"matchCriteriaId\":\"2FC0A575-F771-4B44-A0C6-6A5FD98E5134\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D1D6B61-1F17-4008-9DFB-EF419777768E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9772EE3F-FFC5-4611-AD9A-8AD8304291BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF524892-278F-4373-A8A3-02A30FA1AFF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:siveillance_vantage:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F30DE588-9479-46AA-8346-EA433EE83A5F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:siveillance_viewpoint:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4941EAD6-8759-4C72-ABA6-259C0E838216\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:solid_edge_cam_pro:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5BF2708F-0BD9-41BF-8CB1-4D06C4EFB777\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:solid_edge_harness_design:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2020\",\"matchCriteriaId\":\"0762031C-DFF1-4962-AE05-0778B27324B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:solid_edge_harness_design:2020:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"96271088-1D1B-4378-8ABF-11DAB3BB4DDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:solid_edge_harness_design:2020:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"2595AD24-2DF2-4080-B780-BC03F810B9A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002:*:*:*:*:*:*\",\"matchCriteriaId\":\"88096F08-F261-4E3E-9EEB-2AB0225CD6F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:spectrum_power_4:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.70\",\"matchCriteriaId\":\"044994F7-8127-4F03-AA1A-B2AB41D68AF5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"A6CB3A8D-9577-41FB-8AC4-0DF8DE6A519C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*\",\"matchCriteriaId\":\"17B7C211-6339-4AF2-9564-94C7DE52EEB7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8:*:*:*:*:*:*\",\"matchCriteriaId\":\"DBCCBBBA-9A4F-4354-91EE-10A1460BBA3F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:spectrum_power_7:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.30\",\"matchCriteriaId\":\"12F81F6B-E455-4367-ADA4-8A5EC7F4754A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:spectrum_power_7:2.30:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5EF509E-3799-4718-B361-EFCBA17AEEF3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:spectrum_power_7:2.30:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"8CA31645-29FC-4432-9BFC-C98A808DB8CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB424991-0B18-4FFC-965F-FCF4275F56C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:teamcenter:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B209EFE-77F2-48CD-A880-ABA0A0A81AB1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:tracealertserverplus:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6340621E-0FAF-4684-B457-E621E51E13A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:vesys:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2019.1\",\"matchCriteriaId\":\"72D238AB-4A1F-458D-897E-2C93DCD7BA6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:vesys:2019.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9778339A-EA93-4D18-9A03-4EB4CBD25459\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:vesys:2019.1:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"1747F127-AB45-4325-B9A1-F3D12E69FFC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:vesys:2019.1:sp1912:*:*:*:*:*:*\",\"matchCriteriaId\":\"18BBEF7C-F686-4129-8EE9-0F285CE38845\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:xpedition_enterprise:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD525494-2807-48EA-AED0-11B9CB5A6A9B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:xpedition_package_integrator:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1EDCBF98-A857-48BC-B04D-6F36A1975AA5\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.0.12\",\"matchCriteriaId\":\"B5BAA8A5-74B3-48EB-8287-302927197A4E\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:6bk1602-0aa12-0tp0:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF99FE8F-40D0-48A8-9A40-43119B259535\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.0\",\"matchCriteriaId\":\"BD64FC36-CC7B-4FD7-9845-7EA1DDB0E627\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:6bk1602-0aa22-0tp0:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3F61BCB-64FA-463C-8B95-8868995EDBC0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:6bk1602-0aa22-0tp0_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.0\",\"matchCriteriaId\":\"D0012304-B1C8-460A-B891-42EBF96504F5\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:6bk1602-0aa32-0tp0:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5A189B7-DDBF-4B84-997F-637CEC5FF12B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:6bk1602-0aa32-0tp0_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.0\",\"matchCriteriaId\":\"B02BCF56-D9D3-4BF3-85A2-D445E997F5EC\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:6bk1602-0aa42-0tp0:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"035AFD6F-E560-43C8-A283-8D80DAA33025\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:6bk1602-0aa42-0tp0_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.0\",\"matchCriteriaId\":\"4A2DB5BA-1065-467A-8FB6-81B5EC29DC0C\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:6bk1602-0aa52-0tp0:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4594FF76-A1F8-4457-AE90-07D051CD0DCB\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:6bk1602-0aa52-0tp0_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.0\",\"matchCriteriaId\":\"809EB87E-561A-4DE5-9FF3-BBEE0FA3706E\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2021/12/14/4\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/12/15/3\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/12/18/1\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://logging.apache.org/log4j/2.x/security.html\",\"source\":\"security@apache.org\",\"tags\":[\"Mitigation\",\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202310-16\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2021-44228\",\"source\":\"security@apache.org\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-5022\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.kb.cert.org/vuls/id/930724\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.oracle.com/security-alerts/alert-cve-2021-44228.html\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
rhsa-2022_1299
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1299", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1299.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-15T14:46:14+00:00", "generator": { "date": "2024-11-15T14:46:14+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:1299", "initial_release_date": "2022-04-11T13:00:49+00:00", "revision_history": [ { "date": "2022-04-11T13:00:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:46:14+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4.4 release", "product": { "name": "EAP 7.4.4 release", "product_id": "EAP 7.4.4 release", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5128
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for OpenShift Logging 5.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Openshift Logging Security and Bug Fix Release (5.1.5)\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5128", "url": "https://access.redhat.com/errata/RHSA-2021:5128" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "1944888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888" }, { "category": "external", "summary": "2004133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133" }, { "category": "external", "summary": "2004135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "LOG-1971", "url": "https://issues.redhat.com/browse/LOG-1971" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5128.json" } ], "title": "Red Hat Security Advisory: Openshift Logging security and bug update (5.1.5)", "tracking": { "current_release_date": "2024-11-21T21:14:29+00:00", "generator": { "date": "2024-11-21T21:14:29+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5128", "initial_release_date": "2021-12-14T18:09:12+00:00", "revision_history": [ { "date": "2021-12-14T18:09:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-14T18:09:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:14:29+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "OpenShift Logging 5.1", "product": { "name": "OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:logging:5.1::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.5-3" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.5-3" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-68" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-67" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "product_id": "openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-65" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "product_id": "openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-72" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "product_id": "openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-75" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.5-3" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.5-3" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-68" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-67" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "product_id": "openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-65" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "product_id": "openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-72" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "product_id": "openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-75" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.5-3" } } }, { "category": "product_version", "name": "openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "product": { "name": "openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "product_id": "openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-operator-bundle\u0026tag=v5.1.5-9" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.5-3" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "product": { "name": "openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "product_id": "openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-operator-bundle\u0026tag=v5.1.5-10" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-68" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-67" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "product_id": "openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-65" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "product_id": "openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-72" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64", "product_id": "openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-75" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64 as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64" }, "product_reference": "openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64 as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64 as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64" }, "product_reference": "openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64 as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64 as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64 as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64 as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64 as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64 as a component of OpenShift Logging 5.1", "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.1" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-21409", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-03-30T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1944888" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: Request smuggling via content-length header", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21409" }, { "category": "external", "summary": "RHBZ#1944888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21409" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", "url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32" } ], "release_date": "2021-03-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T18:09:12+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5128" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "netty: Request smuggling via content-length header" }, { "cve": "CVE-2021-37136", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2004133" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty\u0027s netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data", "title": "Vulnerability summary" }, { "category": "other", "text": "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37136" }, { "category": "external", "summary": "RHBZ#2004133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37136", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37136" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" } ], "release_date": "2021-09-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T18:09:12+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5128" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data" }, { "cve": "CVE-2021-37137", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2004135" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Netty\u0027s netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37137" }, { "category": "external", "summary": "RHBZ#2004135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37137", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37137" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" } ], "release_date": "2021-09-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T18:09:12+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5128" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T18:09:12+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5128" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T18:09:12+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5128" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le", "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64", "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2022_0223
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A minor version update (from 1.6.2 to 1.6.3) is now available for Red Hat Integration Camel K that includes bug fixes. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "A minor version update (from 1.6.2 to 1.6.3) is now available for Red Hat Camel K that includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0223", "url": "https://access.redhat.com/errata/RHSA-2022:0223" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2022-Q1", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2022-Q1" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q1", "url": "https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q1" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0223.json" } ], "title": "Red Hat Security Advisory: Red Hat Integration Camel-K 1.6.3 release and security update", "tracking": { "current_release_date": "2024-11-15T10:44:58+00:00", "generator": { "date": "2024-11-15T10:44:58+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0223", "initial_release_date": "2022-01-20T18:55:14+00:00", "revision_history": [ { "date": "2022-01-20T18:55:14+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-20T18:55:14+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T10:44:58+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Integration Camel-K 1.6.3", "product": { "name": "Red Hat Integration Camel-K 1.6.3", "product_id": "Red Hat Integration Camel-K 1.6.3", "product_identification_helper": { "cpe": "cpe:/a:redhat:integration:1" } } } ], "category": "product_family", "name": "Red Hat Integration" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Integration Camel-K 1.6.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T18:55:14+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Integration Camel-K 1.6.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0223" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "Red Hat Integration Camel-K 1.6.3" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Integration Camel-K 1.6.3" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Integration Camel-K 1.6.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T18:55:14+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Integration Camel-K 1.6.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0223" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "Red Hat Integration Camel-K 1.6.3" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Integration Camel-K 1.6.3" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Integration Camel-K 1.6.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T18:55:14+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Integration Camel-K 1.6.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0223" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "Red Hat Integration Camel-K 1.6.3" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Integration Camel-K 1.6.3" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" } ] }
rhsa-2022_1297
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1297", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22900", "url": "https://issues.redhat.com/browse/JBEAP-22900" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1297.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-15T14:47:10+00:00", "generator": { "date": "2024-11-15T14:47:10+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:1297", "initial_release_date": "2022-04-11T13:00:18+00:00", "revision_history": [ { "date": "2022-04-11T13:00:18+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:18+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:47:10+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0083
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat build of Eclipse Vert.x.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE pages listed in the References section.", "title": "Topic" }, { "category": "general", "text": "This release of Red Hat build of Eclipse Vert.x 4.1.8 GA includes security updates. For more information, see the release notes listed in the References section.\n\nSecurity Fix(es):\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0083", "url": "https://access.redhat.com/errata/RHSA-2022:0083" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.eclipse.vertx\u0026version=4.1.8", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.eclipse.vertx\u0026version=4.1.8" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.1/html/release_notes_for_eclipse_vert.x_4.1/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.1/html/release_notes_for_eclipse_vert.x_4.1/index" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0083.json" } ], "title": "Red Hat Security Advisory: Red Hat build of Eclipse Vert.x 4.1.8 security update", "tracking": { "current_release_date": "2024-11-15T10:44:05+00:00", "generator": { "date": "2024-11-15T10:44:05+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0083", "initial_release_date": "2022-01-20T12:12:50+00:00", "revision_history": [ { "date": "2022-01-20T12:12:50+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-20T12:12:50+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T10:44:05+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Vert.x 4.1.8", "product": { "name": "Vert.x 4.1.8", "product_id": "Vert.x 4.1.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0" } } } ], "category": "product_family", "name": "Red Hat OpenShift Application Runtimes" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Vert.x 4.1.8" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T12:12:50+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Vert.x 4.1.8" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0083" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "Vert.x 4.1.8" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Vert.x 4.1.8" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Vert.x 4.1.8" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T12:12:50+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Vert.x 4.1.8" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0083" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "Vert.x 4.1.8" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Vert.x 4.1.8" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Vert.x 4.1.8" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T12:12:50+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Vert.x 4.1.8" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0083" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "Vert.x 4.1.8" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Vert.x 4.1.8" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" } ] }
rhsa-2021_5094
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 3.11.z is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an\nattacker-controlled string value (CVE-2021-44228)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5094", "url": "https://access.redhat.com/errata/RHSA-2021:5094" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5094.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 3.11.z security update", "tracking": { "current_release_date": "2024-11-21T21:14:22+00:00", "generator": { "date": "2024-11-21T21:14:22+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5094", "initial_release_date": "2021-12-14T05:50:14+00:00", "revision_history": [ { "date": "2021-12-14T05:50:14+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-14T05:50:14+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:14:22+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 3.11", "product": { "name": "Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:3.11::el7" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64", "product": { "name": "openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64", "product_id": "openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2?arch=amd64\u0026repository_url=registry.redhat.io/openshift3/ose-logging-elasticsearch5\u0026tag=v3.11.570-2.gd119820" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64 as a component of Red Hat OpenShift Container Platform 3.11", "product_id": "7Server-RH7-RHOSE-3.11:openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64" }, "product_reference": "openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.11" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T05:50:14+00:00", "details": "See the following documentation, which will be updated shortly for release\n3.11.z, for important instructions on how to upgrade your cluster and fully\napply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258 .", "product_ids": [ "7Server-RH7-RHOSE-3.11:openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5094" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "7Server-RH7-RHOSE-3.11:openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.11:openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T05:50:14+00:00", "details": "See the following documentation, which will be updated shortly for release\n3.11.z, for important instructions on how to upgrade your cluster and fully\napply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258 .", "product_ids": [ "7Server-RH7-RHOSE-3.11:openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5094" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "7Server-RH7-RHOSE-3.11:openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-3.11:openshift3/ose-logging-elasticsearch5@sha256:88379eab3d1e07f120b5dc6fa6ba4ebf96d3afb6aaf388d279084d675b23b5c2_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2021_5129
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for OpenShift Logging 5.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Openshift Logging Security and Bug Fix Release (5.3.1)\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5129", "url": "https://access.redhat.com/errata/RHSA-2021:5129" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "1944888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888" }, { "category": "external", "summary": "2004133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133" }, { "category": "external", "summary": "2004135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "LOG-1897", "url": "https://issues.redhat.com/browse/LOG-1897" }, { "category": "external", "summary": "LOG-1925", "url": "https://issues.redhat.com/browse/LOG-1925" }, { "category": "external", "summary": "LOG-1962", "url": "https://issues.redhat.com/browse/LOG-1962" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5129.json" } ], "title": "Red Hat Security Advisory: Openshift Logging security and bug update (5.3.1)", "tracking": { "current_release_date": "2024-11-21T21:14:44+00:00", "generator": { "date": "2024-11-21T21:14:44+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5129", "initial_release_date": "2021-12-14T19:37:00+00:00", "revision_history": [ { "date": "2021-12-14T19:37:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-14T19:37:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:14:44+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "OpenShift Logging 5.3", "product": { "name": "OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3", "product_identification_helper": { "cpe": "cpe:/a:redhat:logging:5.3::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.3.1-4" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.3.1-3" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-66" } } }, { "category": "product_version", "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "product": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "product_identification_helper": { "purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-43" } } }, { "category": "product_version", "name": "openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x", "product": { "name": "openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x", "product_id": "openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x", "product_identification_helper": { "purl": "pkg:oci/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-46" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-65" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "product_id": "openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-63" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "product_id": "openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-70" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "product_id": "openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-73" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.3.1-4" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.3.1-3" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-66" } } }, { "category": "product_version", "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "product": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "product_identification_helper": { "purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-43" } } }, { "category": "product_version", "name": "openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "product": { "name": "openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "product_id": "openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "product_identification_helper": { "purl": "pkg:oci/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-46" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-65" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "product_id": "openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-63" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "product_id": "openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-70" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "product_id": "openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-73" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.3.1-4" } } }, { "category": "product_version", "name": "openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "product": { "name": "openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "product_id": "openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-operator-bundle\u0026tag=v5.3.1-12" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.3.1-3" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "product": { "name": "openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "product_id": "openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-operator-bundle\u0026tag=v5.3.1-12" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-66" } } }, { "category": "product_version", "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "product": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "product_identification_helper": { "purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-43" } } }, { "category": "product_version", "name": "openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "product": { "name": "openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "product_id": "openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "product_identification_helper": { "purl": "pkg:oci/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-46" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-65" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "product_id": "openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-63" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "product_id": "openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-70" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "product_id": "openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-73" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64 as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64" }, "product_reference": "openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64 as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64 as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64" }, "product_reference": "openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64 as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64 as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64 as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64 as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64 as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64 as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le" }, "product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x" }, "product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64 as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64" }, "product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le" }, "product_reference": "openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64 as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64" }, "product_reference": "openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x as a component of OpenShift Logging 5.3", "product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" }, "product_reference": "openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.3" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-21409", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-03-30T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1944888" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: Request smuggling via content-length header", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21409" }, { "category": "external", "summary": "RHBZ#1944888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21409" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", "url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32" } ], "release_date": "2021-03-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T19:37:00+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nFor Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5129" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "netty: Request smuggling via content-length header" }, { "cve": "CVE-2021-37136", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2004133" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty\u0027s netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data", "title": "Vulnerability summary" }, { "category": "other", "text": "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37136" }, { "category": "external", "summary": "RHBZ#2004133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37136", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37136" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" } ], "release_date": "2021-09-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T19:37:00+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nFor Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5129" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data" }, { "cve": "CVE-2021-37137", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2004135" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Netty\u0027s netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37137" }, { "category": "external", "summary": "RHBZ#2004135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37137", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37137" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" } ], "release_date": "2021-09-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T19:37:00+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nFor Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5129" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T19:37:00+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nFor Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5129" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T19:37:00+00:00", "details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nFor Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5129" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x", "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2021_5107
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.7.40 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5107", "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5107.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.7.40 security update", "tracking": { "current_release_date": "2024-11-21T21:15:25+00:00", "generator": { "date": "2024-11-21T21:15:25+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5107", "initial_release_date": "2021-12-16T15:00:19+00:00", "revision_history": [ { "date": "2021-12-16T15:00:19+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T15:00:19+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:25+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.7", "product": { "name": "Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.7::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.7.0-202112150631.p0.g6046504.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product_id": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.7.0-202112140553.p0.g091bb99.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product_id": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T15:00:19+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:665d34bc3e69cda3c37699051cfee983cf14f6d5f67d56d949652230937dcc90_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:5a2aa59c1c7a1423ec5fa39eabfc0dfa41cea0db82c9fc1f5c2ce9923ee792f4_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop@sha256:03a4dd392453720b3950efa522682f5d07938c4d36e4269658c5a555afa403e7_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:3ae0917ca765603722b54a392bc5f1edc6c41b6c7d4c5eca95ed99c1d8af3d1c_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-presto@sha256:795baa6f38910a8c35d179b8449cd8df3ad7644b9a0a13dad8407519902037e9_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2022_0216
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0216", "url": "https://access.redhat.com/errata/RHSA-2022:0216" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://access.redhat.com/solutions/6577421", "url": "https://access.redhat.com/solutions/6577421" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0216.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update", "tracking": { "current_release_date": "2024-11-15T10:44:01+00:00", "generator": { "date": "2024-11-15T10:44:01+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0216", "initial_release_date": "2022-01-20T16:00:06+00:00", "revision_history": [ { "date": "2022-01-20T16:00:06+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-20T16:00:06+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T10:44:01+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4 log4j async", "product": { "name": "EAP 7.4 log4j async", "product_id": "EAP 7.4 log4j async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T16:00:06+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0216" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T16:00:06+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0216" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T16:00:06+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0216" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" } ] }
rhsa-2022_0205
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for Red Hat Data Grid is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.2.3 replaces Data Grid 8.2.2 and includes bug fixes and enhancements. Find out more about Data Grid 8.2.3 in the Release Notes [3].\n\nSecurity Fix(es):\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0205", "url": "https://access.redhat.com/errata/RHSA-2022:0205" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=data.grid\u0026version=8.2", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=data.grid\u0026version=8.2" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html-single/red_hat_data_grid_8.2_release_notes/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html-single/red_hat_data_grid_8.2_release_notes/index" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0205.json" } ], "title": "Red Hat Security Advisory: Red Hat Data Grid 8.2.3 security update", "tracking": { "current_release_date": "2024-11-15T10:44:10+00:00", "generator": { "date": "2024-11-15T10:44:10+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0205", "initial_release_date": "2022-01-20T11:39:58+00:00", "revision_history": [ { "date": "2022-01-20T11:39:58+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-20T11:39:58+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T10:44:10+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Data Grid 8.2.3", "product": { "name": "Red Hat Data Grid 8.2.3", "product_id": "Red Hat Data Grid 8.2.3", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_grid:8.2" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Grid" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 8.2.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T11:39:58+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 8.2.3 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.2.3 server patch. Refer to the 8.2.3 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 8.2.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0205" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "Red Hat Data Grid 8.2.3" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 8.2.3" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 8.2.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T11:39:58+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 8.2.3 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.2.3 server patch. Refer to the 8.2.3 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 8.2.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0205" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "Red Hat Data Grid 8.2.3" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 8.2.3" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 8.2.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T11:39:58+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 8.2.3 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.2.3 server patch. Refer to the 8.2.3 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 8.2.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0205" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "Red Hat Data Grid 8.2.3" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 8.2.3" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" } ] }
rhsa-2021_5106
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat OpenShift Container Platform 4.6.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5106", "url": "https://access.redhat.com/errata/RHSA-2021:5106" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5106.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.z security update", "tracking": { "current_release_date": "2024-11-21T21:15:19+00:00", "generator": { "date": "2024-11-21T21:15:19+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5106", "initial_release_date": "2021-12-16T06:12:27+00:00", "revision_history": [ { "date": "2021-12-16T06:12:27+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T06:12:27+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:19+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x", "product": { "name": "openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x", "product_id": "openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x", "product_identification_helper": { "purl": "pkg:oci/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-elasticsearch-operator\u0026tag=v4.6.0-202112140939.p0.gd421c69.assembly.art3594" } } }, { "category": "product_version", "name": "openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "product": { "name": "openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "product_id": "openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "product_identification_helper": { "purl": "pkg:oci/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-logging-elasticsearch6\u0026tag=v4.6.0-202112132021.p0.g2a13a81.assembly.stream" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le", "product": { "name": "openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le", "product_id": "openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-elasticsearch-operator\u0026tag=v4.6.0-202112140939.p0.gd421c69.assembly.art3594" } } }, { "category": "product_version", "name": "openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "product": { "name": "openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "product_id": "openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift4/ose-logging-elasticsearch6\u0026tag=v4.6.0-202112132021.p0.g2a13a81.assembly.stream" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64", "product": { "name": "openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64", "product_id": "openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-elasticsearch-operator\u0026tag=v4.6.0-202112140939.p0.gd421c69.assembly.art3594" } } }, { "category": "product_version", "name": "openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64", "product": { "name": "openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64", "product_id": "openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-elasticsearch-operator-bundle\u0026tag=v4.6.0.202112140939.p0.gd421c69.assembly.art3594-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64", "product_id": "openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.6.0-202112140546.p0.g8b9da97.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "product": { "name": "openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "product_id": "openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-logging-elasticsearch6\u0026tag=v4.6.0-202112132021.p0.g2a13a81.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.6.0-202112140831.p0.gd74112d.assembly.art3594" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.6.0.202112140831.p0.gd74112d.assembly.art3594-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64" }, "product_reference": "openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64" }, "product_reference": "openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x" }, "product_reference": "openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le" }, "product_reference": "openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x" }, "product_reference": "openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64" }, "product_reference": "openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le" }, "product_reference": "openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T06:12:27+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5106" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T06:12:27+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5106" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator-bundle@sha256:b0b6c17769c6ec87496d14b2bcfbfbd035782671bbf6e6934dc2f240f1033902_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:8db02b3087c2c89bafaf6896d67462af54e77ba3c2fb299a84ab7886f1b92ce1_amd64", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:d0916cd9a19901ff6c8b24f0f27db9e9f9322f8fc6eb9e773c4b43fe98800416_s390x", "8Base-RHOSE-4.6:openshift4/ose-elasticsearch-operator@sha256:dfd7356ce68d9ff2498655c07b7d700872185597c0c2855d6721acb2ae5e6b5c_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:7c67b7bcdc6e35f38905aff84f007a2b77c727836f256a0c038934ab62c7011e_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:fc3a7d606162c571647e0a4f6184091eddc1fe360e93d7692d1195559a7a74db_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:416510e6e489dfb1ab1f0b2091015dcb0adac637ed37f1e18d30f128c45b93d2_s390x", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:8b0d423982c960d81f8e1ade8482ba064507863283aec360ac63f31f0ffdb24f_amd64", "8Base-RHOSE-4.6:openshift4/ose-logging-elasticsearch6@sha256:ebc6a802dc110dddaae352c3a142fbeae1169d5c35fc0f77ef7e64b810c863af_ppc64le", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2a8670a968b37e04539c052b399e539d60a006bdf4e46d5066bc04530da8f532_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2022_0138
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat AMQ Streams 2.0.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.0.0 serves as a replacement for Red Hat AMQ Streams 1.8.4, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* jetty: crafted URIs allow bypassing security constraints (CVE-2021-34429)\n\n* netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\n* Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients (CVE-2021-38153)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0138", "url": "https://access.redhat.com/errata/RHSA-2022:0138" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=2.0.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=2.0.0" }, { "category": "external", "summary": "1985223", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1985223" }, { "category": "external", "summary": "2004133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133" }, { "category": "external", "summary": "2004135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135" }, { "category": "external", "summary": "2009041", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2009041" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0138.json" } ], "title": "Red Hat Security Advisory: Red Hat AMQ Streams 2.0.0 release and security update", "tracking": { "current_release_date": "2024-11-15T10:43:22+00:00", "generator": { "date": "2024-11-15T10:43:22+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0138", "initial_release_date": "2022-01-13T15:25:07+00:00", "revision_history": [ { "date": "2022-01-13T15:25:07+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-13T15:25:08+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T10:43:22+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat AMQ Streams 2.0.0", "product": { "name": "Red Hat AMQ Streams 2.0.0", "product_id": "Red Hat AMQ Streams 2.0.0", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_streams:2" } } } ], "category": "product_family", "name": "Red Hat JBoss AMQ" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-34429", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2021-07-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1985223" } ], "notes": [ { "category": "description", "text": "For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 \u0026 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.", "title": "Vulnerability description" }, { "category": "summary", "text": "jetty: crafted URIs allow bypassing security constraints", "title": "Vulnerability summary" }, { "category": "other", "text": "OCP 3.11 is out of the support scope for Moderate and Low impact vulnerabilities because is already in the Maintenance Support phase, hence the affected OCP 3.11 component has been marked as \"ooss\".\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 2.0.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-34429" }, { "category": "external", "summary": "RHBZ#1985223", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1985223" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-34429", "url": "https://www.cve.org/CVERecord?id=CVE-2021-34429" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34429", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34429" } ], "release_date": "2021-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-13T15:25:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 2.0.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0138" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 2.0.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jetty: crafted URIs allow bypassing security constraints" }, { "cve": "CVE-2021-37136", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2004133" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty\u0027s netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data", "title": "Vulnerability summary" }, { "category": "other", "text": "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 2.0.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37136" }, { "category": "external", "summary": "RHBZ#2004133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37136", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37136" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" } ], "release_date": "2021-09-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-13T15:25:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 2.0.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0138" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 2.0.0" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data" }, { "cve": "CVE-2021-37137", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2004135" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Netty\u0027s netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 2.0.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37137" }, { "category": "external", "summary": "RHBZ#2004135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37137", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37137" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" } ], "release_date": "2021-09-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-13T15:25:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 2.0.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0138" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 2.0.0" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way" }, { "cve": "CVE-2021-38153", "cwe": { "id": "CWE-367", "name": "Time-of-check Time-of-use (TOCTOU) Race Condition" }, "discovery_date": "2021-09-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2009041" } ], "notes": [ { "category": "description", "text": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.", "title": "Vulnerability description" }, { "category": "summary", "text": "Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 2.0.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-38153" }, { "category": "external", "summary": "RHBZ#2009041", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2009041" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-38153", "url": "https://www.cve.org/CVERecord?id=CVE-2021-38153" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-38153", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38153" } ], "release_date": "2021-09-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-13T15:25:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 2.0.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0138" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 2.0.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 2.0.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-13T15:25:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 2.0.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0138" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "Red Hat AMQ Streams 2.0.0" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 2.0.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 2.0.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-13T15:25:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 2.0.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0138" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "Red Hat AMQ Streams 2.0.0" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 2.0.0" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2022_0203
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A micro version update for Fuse 7.8, 7.9, and 7.10 is now available for Red Hat Fuse on Karaf and Red Hat Fuse on Spring Boot. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The releases of Red Hat Fuse 7.8.2, 7.9.1 and 7.10.1 serve as a patch to Red Hat Fuse on Karaf and Red Hat Fuse on Spring Boot and includes security fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0203", "url": "https://access.redhat.com/errata/RHSA-2022:0203" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=7.08.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=7.08.0" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=7.09.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=7.09.0" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=7.10.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=7.10.0" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0203.json" } ], "title": "Red Hat Security Advisory: Red Hat Fuse 7.8-7.10 security update", "tracking": { "current_release_date": "2024-11-21T21:15:40+00:00", "generator": { "date": "2024-11-21T21:15:40+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0203", "initial_release_date": "2022-01-20T09:26:34+00:00", "revision_history": [ { "date": "2022-01-20T09:26:34+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-20T09:26:34+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:40+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1", "product": { "name": "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1", "product_id": "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:7" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T09:26:34+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse product documentation pages:\n\nFuse 7.8:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deploying_into_spring_boot/patch-red-hat-fuse-applications\n\nFuse 7.9:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/deploying_into_spring_boot/patch-red-hat-fuse-applications\n\nFuse 7.10:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/deploying_into_spring_boot/patch-red-hat-fuse-applications", "product_ids": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0203" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T09:26:34+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse product documentation pages:\n\nFuse 7.8:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deploying_into_spring_boot/patch-red-hat-fuse-applications\n\nFuse 7.9:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/deploying_into_spring_boot/patch-red-hat-fuse-applications\n\nFuse 7.10:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/deploying_into_spring_boot/patch-red-hat-fuse-applications", "product_ids": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0203" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T09:26:34+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse product documentation pages:\n\nFuse 7.8:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deploying_into_spring_boot/patch-red-hat-fuse-applications\n\nFuse 7.9:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/deploying_into_spring_boot/patch-red-hat-fuse-applications\n\nFuse 7.10:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/deploying_into_spring_boot/patch-red-hat-fuse-applications", "product_ids": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0203" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T09:26:34+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse product documentation pages:\n\nFuse 7.8:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deploying_into_spring_boot/patch-red-hat-fuse-applications\n\nFuse 7.9:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/html/deploying_into_spring_boot/patch-red-hat-fuse-applications\n\nFuse 7.10:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/installing_on_apache_karaf/apply-hotfix-patch\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/html/deploying_into_spring_boot/patch-red-hat-fuse-applications", "product_ids": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0203" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.8.2, 7.9.1, 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" } ] }
rhsa-2021_5108
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.8.z is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an\nattacker-controlled string value (CVE-2021-44228)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5108", "url": "https://access.redhat.com/errata/RHSA-2021:5108" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5108.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.z security update", "tracking": { "current_release_date": "2024-11-21T21:14:36+00:00", "generator": { "date": "2024-11-21T21:14:36+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5108", "initial_release_date": "2021-12-14T15:09:31+00:00", "revision_history": [ { "date": "2021-12-14T15:09:31+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-14T15:09:31+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:14:36+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64", "product_id": "openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.8.0-202112132154.p0.g57dd03a.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.8.0-202112132154.p0.g0d7ecfb.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.8.0.202112132154.p0.g0d7ecfb.assembly.stream-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T15:09:31+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5108" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T15:09:31+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5108" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:3b7c190204a5ffb038b60b80e2096a7fab508dfeafdafeff71e755802265e70a_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:bae1a96311e2cac42a709789181bef11f7edf3b8c8feccbbc55552c2c14ea80d_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:7518a86bfa6ccd14de18dcd833fa9dfee36a3707e70e9ffa2218264bac6e7794_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2021_5141
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.52 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5141", "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5141.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.52 security update", "tracking": { "current_release_date": "2024-11-21T21:15:23+00:00", "generator": { "date": "2024-11-21T21:15:23+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5141", "initial_release_date": "2021-12-16T07:50:00+00:00", "revision_history": [ { "date": "2021-12-16T07:50:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T07:50:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:23+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.6.0-202112150545.p0.gf381145.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.6.0-202112150545.p0.gd74112d.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.6.0.202112150545.p0.gd74112d.assembly.art3595-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product_id": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.6.0-202112150545.p0.g190688a.assembly.art3595" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2022_0222
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update to Red Hat Integration Camel Extensions for Quarkus 2.2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\nRed Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "This update of Red Hat Integration - Camel Extensions for Quarkus serves as a replacement for 2.2 GA and includes the following security Fix(es):\n\nSecurity Fix(es):\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0222", "url": "https://access.redhat.com/errata/RHSA-2022:0222" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2022-Q1", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2022-Q1" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q1", "url": "https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q1" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0222.json" } ], "title": "Red Hat Security Advisory: Red Hat Integration Camel Extensions for Quarkus 2.2 security update", "tracking": { "current_release_date": "2024-11-15T10:44:25+00:00", "generator": { "date": "2024-11-15T10:44:25+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:0222", "initial_release_date": "2022-01-20T18:54:26+00:00", "revision_history": [ { "date": "2022-01-20T18:54:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-20T18:54:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T10:44:25+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Integration Camel Extensions for Quarkus 2.2", "product": { "name": "Red Hat Integration Camel Extensions for Quarkus 2.2", "product_id": "Red Hat Integration Camel Extensions for Quarkus 2.2", "product_identification_helper": { "cpe": "cpe:/a:redhat:camel_quarkus:2.2" } } } ], "category": "product_family", "name": "Red Hat Integration" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T18:54:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0222" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T18:54:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0222" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-20T18:54:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0222" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Integration Camel Extensions for Quarkus 2.2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" } ] }
rhsa-2021_5137
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Openshift Logging Security Release (5.0.10)\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Openshift Logging Bug Fix Release (5.0.10)\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5137", "url": "https://access.redhat.com/errata/RHSA-2021:5137" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5137.json" } ], "title": "Red Hat Security Advisory: Openshift Logging Security Release (5.0.10)", "tracking": { "current_release_date": "2024-11-21T21:15:02+00:00", "generator": { "date": "2024-11-21T21:15:02+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5137", "initial_release_date": "2021-12-14T21:36:36+00:00", "revision_history": [ { "date": "2021-12-14T21:36:36+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-14T21:36:36+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:02+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "OpenShift Logging 5.0", "product": { "name": "OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0", "product_identification_helper": { "cpe": "cpe:/a:redhat:logging:5.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64", "product": { "name": "openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64", "product_id": "openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-operator-bundle\u0026tag=v5.0.10-2" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64", "product": { "name": "openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64", "product_id": "openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-operator-bundle\u0026tag=v5.0.10-2" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64", "product": { "name": "openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64", "product_id": "openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64", "product_identification_helper": { "purl": "pkg:oci/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64", "product_id": "openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64", "product_id": "openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64", "product_id": "openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v5.0.10-1" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le", "product": { "name": "openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le", "product_id": "openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le", "product_identification_helper": { "purl": "pkg:oci/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le", "product_id": "openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le", "product_id": "openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le", "product_id": "openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v5.0.10-1" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x", "product": { "name": "openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x", "product_id": "openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x", "product_identification_helper": { "purl": "pkg:oci/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x", "product_id": "openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x", "product_id": "openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v5.0.10-1" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x", "product_id": "openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v5.0.10-1" } } } ], "category": "architecture", "name": "s390x" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64 as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64" }, "product_reference": "openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64 as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64 as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64" }, "product_reference": "openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64 as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64 as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64 as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64 as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64 as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64 as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64 as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64" }, "product_reference": "openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x" }, "product_reference": "openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le as a component of OpenShift Logging 5.0", "product_id": "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le" }, "product_reference": "openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.0" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T21:36:36+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nFor Red Hat OpenShift Logging 5.0, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5137" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T21:36:36+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nFor Red Hat OpenShift Logging 5.0, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5137" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-operator-bundle@sha256:8506f609ee7aae7006f856c9aea1868adbe0689e142d88a7db9fe1a5178f3178_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:177037cc7dd2abedf432efd6addf9d47960d8e9fb116cdfc973ee4999a488383_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa5bbc1b0792179d50e7e102588195b0b11799b94640db5039ff371e8505e32b_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/cluster-logging-rhel8-operator@sha256:aa89345bb6281fac7c35d404a2ff753bff3f222557ab6f03c2c401107adf073e_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-operator-bundle@sha256:4edb9f0a5efe40bdb5ae5f9b68abb4ac952810d1333442993c90bee6831bbe64_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:70fb7698de4592d07001b268b914f468c03618471cb975b6a21c35451999be2a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:c1dd73551aa53acb75a02875449fa54a995df5888b68421a7e945862a98aa8c2_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-proxy-rhel8@sha256:cf7da672fc4e59894230852c0d5e67e3fcbbcce1fa992784b5348e654ff59417_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:4bba1d96440b7fc19cb61fdacad24bfab5fab610eae01374d830ee51fa8a6bd4_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:71bcbfb03b820d0a2ce7fb5ec6ab4830b2d38ff62ccdcf974139a7244cf5b2ee_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch-rhel8-operator@sha256:97bd3a7bf854f3b4ead46336683a82853f78df95c48ab9a4f1c5164105f05f8e_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:09ba9e857b5ba3ac122d71b2c349ab8e13981c34268b6ec9c252519243f77d55_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:98092e9322efec21851e728e69e1b32b7607a4aedccc9ec39fc225849f3b7e1a_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/eventrouter-rhel8@sha256:abf4052884464d6fa82d2b4aed5a612918d395f4229dde26a3c3acfa20fbfb34_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:3273f04559882c0ab7c2b61da96aa7a61f0004d1c87e8070477ba984cfa3dc50_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:77489c11265b4890c23c95b3bb255f707e9bfe02475a65e566fae1d1eb0ca970_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/fluentd-rhel8@sha256:a88c38034287123710fbdfa23056a700dbf918fa563d6ce14c56c99a14000a5c_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:7709829dde3568c1e32b4e949054191166545e724803341e4182e080583adbc8_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:d505ef5c45463c45c6bd67873ef038400b79b940ab142153ebdc86d6efdfb619_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/kibana6-rhel8@sha256:e3d3cba918b8eb95f340e1a6d5a2bc05bb93b6b305a0beccae0b5d37a064986a_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:4b597b22e6dbf1897e728d8384a7fb6f703290a6b4f9755141a9bd35569c1bb4_amd64", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:680699c945e150eb6fdbd0dd70565ad279fba8c21abbffe1fa7b3a0360f03178_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/logging-curator5-rhel8@sha256:6a3e0dcfc27c799d54b9b86d71b61691583d48b71b1f651afb46ae5b00a31ba1_ppc64le" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:8612f54b6b077febf9ab833b6bf6fe4673bc29ed8765323e60c4b7531ef40407_s390x", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:a70f88abff582e94a56f650acb782217e6247dc13343d7803492467a4881a9b0_ppc64le", "8Base-OSE-LOGGING-5.0:openshift-logging/elasticsearch6-rhel8@sha256:c4fb65aaf2602f06b713da8e5b5674d880f57177510a533135cbb93c7e362eb9_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2021_5127
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for OpenShift Logging 5.2.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Openshift Logging Security and Bug Fix Release (5.2.4)\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5127", "url": "https://access.redhat.com/errata/RHSA-2021:5127" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "1944888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888" }, { "category": "external", "summary": "2004133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133" }, { "category": "external", "summary": "2004135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "LOG-1775", "url": "https://issues.redhat.com/browse/LOG-1775" }, { "category": "external", "summary": "LOG-1824", "url": "https://issues.redhat.com/browse/LOG-1824" }, { "category": "external", "summary": "LOG-1963", "url": "https://issues.redhat.com/browse/LOG-1963" }, { "category": "external", "summary": "LOG-1970", "url": "https://issues.redhat.com/browse/LOG-1970" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5127.json" } ], "title": "Red Hat Security Advisory: Openshift Logging security and bug update (5.2.4)", "tracking": { "current_release_date": "2024-11-21T21:15:05+00:00", "generator": { "date": "2024-11-21T21:15:05+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5127", "initial_release_date": "2021-12-14T18:38:45+00:00", "revision_history": [ { "date": "2021-12-14T18:38:45+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-14T18:38:45+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:05+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "OpenShift Logging 5.2", "product": { "name": "OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2", "product_identification_helper": { "cpe": "cpe:/a:redhat:logging:5.2::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.2.4-4" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.2.4-4" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-67" } } }, { "category": "product_version", "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "product": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "product_identification_helper": { "purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-44" } } }, { "category": "product_version", "name": "openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "product": { "name": "openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "product_id": "openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "product_identification_helper": { "purl": "pkg:oci/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-47" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-66" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "product_id": "openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-64" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "product_id": "openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-71" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "product_id": "openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-74" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.2.4-4" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.2.4-4" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-67" } } }, { "category": "product_version", "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "product": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "product_identification_helper": { "purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-44" } } }, { "category": "product_version", "name": "openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le", "product": { "name": "openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le", "product_id": "openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le", "product_identification_helper": { "purl": "pkg:oci/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-47" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-66" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "product_id": "openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-64" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "product_id": "openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-71" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "product_id": "openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-74" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "product": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.2.4-4" } } }, { "category": "product_version", "name": "openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "product": { "name": "openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "product_id": "openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "product_identification_helper": { "purl": "pkg:oci/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-operator-bundle\u0026tag=v5.2.4-17" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "product": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.2.4-4" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "product": { "name": "openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "product_id": "openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-operator-bundle\u0026tag=v5.2.4-17" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "product": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-67" } } }, { "category": "product_version", "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "product": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "product_identification_helper": { "purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-44" } } }, { "category": "product_version", "name": "openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "product": { "name": "openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "product_id": "openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "product_identification_helper": { "purl": "pkg:oci/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-47" } } }, { "category": "product_version", "name": "openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "product": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "product_identification_helper": { "purl": "pkg:oci/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-66" } } }, { "category": "product_version", "name": "openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "product": { "name": "openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "product_id": "openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "product_identification_helper": { "purl": "pkg:oci/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-64" } } }, { "category": "product_version", "name": "openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "product": { "name": "openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "product_id": "openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "product_identification_helper": { "purl": "pkg:oci/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-71" } } }, { "category": "product_version", "name": "openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "product": { "name": "openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "product_id": "openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "product_identification_helper": { "purl": "pkg:oci/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-74" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64 as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64" }, "product_reference": "openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64 as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64" }, "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64 as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64" }, "product_reference": "openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64 as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le" }, "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64 as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x" }, "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64 as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" }, "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64 as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x" }, "product_reference": "openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64 as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x" }, "product_reference": "openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64 as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x" }, "product_reference": "openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x" }, "product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64 as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64" }, "product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le" }, "product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64 as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64" }, "product_reference": "openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x" }, "product_reference": "openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le as a component of OpenShift Logging 5.2", "product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" }, "product_reference": "openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le", "relates_to_product_reference": "8Base-OSE-LOGGING-5.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-21409", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-03-30T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1944888" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: Request smuggling via content-length header", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21409" }, { "category": "external", "summary": "RHBZ#1944888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21409" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", "url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32" } ], "release_date": "2021-03-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T18:38:45+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.2, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5127" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "netty: Request smuggling via content-length header" }, { "cve": "CVE-2021-37136", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2004133" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty\u0027s netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data", "title": "Vulnerability summary" }, { "category": "other", "text": "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37136" }, { "category": "external", "summary": "RHBZ#2004133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37136", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37136" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" } ], "release_date": "2021-09-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T18:38:45+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.2, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5127" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data" }, { "cve": "CVE-2021-37137", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-09-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2004135" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Netty\u0027s netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-37137" }, { "category": "external", "summary": "RHBZ#2004135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37137", "url": "https://www.cve.org/CVERecord?id=CVE-2021-37137" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" } ], "release_date": "2021-09-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T18:38:45+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.2, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5127" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T18:38:45+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.2, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5127" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ], "known_not_affected": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-14T18:38:45+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.2, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5127" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x", "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le", "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2022_1296
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1296", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22899", "url": "https://issues.redhat.com/browse/JBEAP-22899" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1296.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-15T14:47:17+00:00", "generator": { "date": "2024-11-15T14:47:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2022:1296", "initial_release_date": "2022-04-11T12:59:41+00:00", "revision_history": [ { "date": "2022-04-11T12:59:41+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T12:59:41+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T14:47:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5148
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.8.24 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5148", "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5148.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.24 extras security update", "tracking": { "current_release_date": "2024-11-21T21:15:16+00:00", "generator": { "date": "2024-11-21T21:15:16+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:5148", "initial_release_date": "2021-12-15T20:09:32+00:00", "revision_history": [ { "date": "2021-12-15T20:09:32+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T16:08:07+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:16+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product_id": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-15T20:09:32+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:5cc4e959806f4e9cd47b5d8a505b8c6c86775632aee35908a0928bfeede818ad_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:d0d3215ab63ee9893806eedf23fbb2b2237683fbe9c20138b1450f89a231092f_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop@sha256:50ecba62addb91627e4adad209f95fb910cc16584a1437764e1585430fec30a1_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto@sha256:2c449bb93534c6dc17961624ff67bd9e7ef07b5799367a4e0467f8dcadeaf35f_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
wid-sec-w-2022-0352
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Apache log4j ist ein Framework zum Loggen von Anwendungsmeldungen in Java.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache log4j ausnutzen, um beliebigen Code auszuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows\n- CISCO Appliance\n- Juniper Appliance\n- NetApp Appliance\n- Native Hypervisor\n- Applicance\n- Sonstiges\n- Hardware Appliance", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-0352 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-0352.json" }, { "category": "self", "summary": "WID-SEC-2022-0352 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0352" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2022-225 vom 2022-12-09", "url": "https://alas.aws.amazon.com/AL2022/ALAS-2022-225.html" }, { "category": "external", "summary": "Apache Log4j Security Vulnerabilities vom 2021-12-13", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "Lunasec Blog \"Log4Shell Update\" vom 2021-12-14", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/" }, { "category": "external", "summary": "HCL Article KB0095516 vom 2021-12-16", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0095516" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5148 vom 2021-12-16", "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "external", "summary": "Ubuntu Security Notice USN-5197-1 vom 2021-12-15", "url": "https://ubuntu.com/security/notices/USN-5197-1" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5106 vom 2021-12-16", "url": "https://access.redhat.com/errata/RHSA-2021:5106" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2021-1730 vom 2021-12-16", "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1730.html" }, { "category": "external", "summary": "IBM Security Bulletin 6526750 vom 2021-12-16", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affect-the-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-cve-2021-4104-cve-2021-45046/" }, { "category": "external", "summary": "Debian Security Advisory DSA-5022 vom 2021-12-16", "url": "https://lists.debian.org/debian-security-announce/2021/msg00208.html" }, { "category": "external", "summary": "CloudFlare Blog vom 2021-12-16", "url": "https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5186 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "external", "summary": "Cisco Security Advisory CISCO-SA-APACHE-LOG4J-QRUKNEBD vom 2021-12-17", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5183 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5184 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5141 vom 2021-12-16", "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "external", "summary": "Siemens Security Advisory SSA-714170 vom 2021-12-16", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5107 vom 2021-12-16", "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "external", "summary": "Log4j Vulnerabilities Impact On Oracle E-Business Suite Analysis", "url": "https://www.integrigy.com/security-resources/log4j-vulnerabilities-impact-oracle-e-business-suite-analysis" }, { "category": "external", "summary": "Apache Log4j Security Vulnerabilities vom 2021-12-16", "url": "https://logging.apache.org/log4j/2.x/security" }, { "category": "external", "summary": "Apache Log4j Security Vulnerabilities vom 2021-12-16", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "Tibco Apache Log4J Vulnerability Daily Update", "url": "https://www.tibco.com/support/notices/2021/12/apache-log4j-vulnerability-update-archive-6" }, { "category": "external", "summary": "Atos Security Advisory Report - OBSO-2112-01", "url": "https://networks.unify.com/security/advisories/OBSO-2112-01.pdf" }, { "category": "external", "summary": "Avaya Product Security Apache Log4J Vulnerability vom 2021-12-17", "url": "https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2021-1553 vom 2021-12-18", "url": "https://alas.aws.amazon.com/ALAS-2021-1553.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALASCORRETTO8-2021-001 vom 2021-12-20", "url": "https://alas.aws.amazon.com/AL2/ALASCORRETTO8-2021-001.html" }, { "category": "external", "summary": "IBM Security Bulletin 6527924 vom 2021-12-17", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-blockchain-bridge-dependencies-are-vulnerable-to-an-issue-in-apache-log4j-cve-2021-45046/" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALASJAVA-OPENJDK11-2021-001 vom 2021-12-20", "url": "https://alas.aws.amazon.com/AL2/ALASJAVA-OPENJDK11-2021-001.html" }, { "category": "external", "summary": "HCL Article KB0095587 vom 2021-12-17", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0095587" }, { "category": "external", "summary": "Citrix Security Advisory CTX335705 vom 2021-12-20", "url": "https://support.citrix.com/article/CTX335705" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2021-1731 vom 2021-12-18", "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1731.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2021-004 vom 2021-12-18", "url": "https://alas.aws.amazon.com/AL2022/ALAS-2021-004.html" }, { "category": "external", "summary": "IBM Security Bulletin 6528372 vom 2021-12-21", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-log4shell-vulnerability-affects-ibm-spss-statistics-cve-2021-45046/" }, { "category": "external", "summary": "NetApp Security Advisory NTAP-20211215-0001 vom 2021-12-20", "url": "https://security.netapp.com/advisory/ntap-20211215-0001/" }, { "category": "external", "summary": "Apache Log4j 2 Release Notes", "url": "https://logging.apache.org/log4j/log4j-2.12.3/index.html" }, { "category": "external", "summary": "IBM Security Bulletin 6528672 vom 2021-12-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-45046-cve-2021-45105/" }, { "category": "external", "summary": "Incident Report for F-Secure services", "url": "https://status.f-secure.com/incidents/sk8vmr0h34pd" }, { "category": "external", "summary": "Apache Log4j2 Advisory", "url": "https://logging.apache.org/log4j/log4j-2.3.1/index.html" }, { "category": "external", "summary": "IBM Security Bulletin 6529162 vom 2021-12-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-log4j-cve-2021-45046-impacts-ibm-qradar-user-behavior-analytics-add-on-to-ibm-qradar-siem/" }, { "category": "external", "summary": "IBM Security Bulletin 6536704 vom 2021-12-23", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affects-spss-collaboration-and-deployment-services/" }, { "category": "external", "summary": "IBM Security Bulletin 6536870 vom 2021-12-23", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spss-analytic-server-cve-2021-45105-and-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6536868 vom 2021-12-23", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-apache-log4j-shipped-with-ibm-tivoli-netcool-omnibus-common-integration-libraries-cve-2021-4104-cve-2021-45046-cve-2021-44228/" }, { "category": "external", "summary": "WIBU Security Advisory WIBU-211215-01 vom 2021-12-23", "url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/Advisory_WIBU-211215-01.pdf" }, { "category": "external", "summary": "IBM Security Bulletin 6537184 vom 2021-12-27", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilities-cve-2021-45105-affecting-v2-16-and-cve-2021-45046-affecting-v2-15-affect-ibm-spss-statistics-server/" }, { "category": "external", "summary": "IBM Security Bulletin 6537182 vom 2021-12-27", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilities-cve-2021-45105-affecting-v2-16-and-cve-2021-45046-affecting-v2-15-affect-ibm-spss-statistics-desktop/" }, { "category": "external", "summary": "IBM Security Bulletin 6537186 vom 2021-12-27", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilities-cve-2021-45105-affecting-v2-16-and-cve-2021-45046-affecting-v2-15-affect-ibm-spss-statistics-subscription/" }, { "category": "external", "summary": "IBM Security Bulletin 6537142 vom 2021-12-25", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-vulnerable-to-a-denial-of-service-vulnerability-in-apache-log4j2-component-cve-2021-45105-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6537180 vom 2021-12-27", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spss-statistics-is-vulnerable-to-denial-of-service-due-to-apache-log4j-cve-2021-45105-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6537212 vom 2021-12-28", "url": "https://www.ibm.com/blogs/psirt/security-bulletinibm-spss-modeler-is-vulnerable-to-denial-of-service-due-to-apache-log4j-cve-2021-45105-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6537240 vom 2021-12-28", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-spectrum-protect-operations-center-cve-2021-45105-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6537748 vom 2021-12-31", "url": "https://www.ibm.com/support/pages/node/6537748" }, { "category": "external", "summary": "IBM Security Bulletin 6537636 vom 2022-01-04", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-openshift-cve-2021-45105-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6537634 vom 2022-01-04", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-impact-ibm-spectrum-protect-plus-cve-2021-45105-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6538396 vom 2022-01-06", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-impacts-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-for-virtual-environments-cve-2021-45105-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6537642 vom 2022-01-06", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-spectrum-protect-snapshot-on-windows-cve-2021-45105-and-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6537640 vom 2022-01-06", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-spectrum-protect-for-space-management-cve-2021-45105-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6537644 vom 2022-01-07", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-spectrum-protect-snapshot-for-vmware-cve-2021-45105-and-cve-2021-45046/" }, { "category": "external", "summary": "EMC Security Advisory DSA-2021-274 vom 2022-01-09", "url": "https://www.dell.com/support/kbdoc/de-de/000194503/dsa-2021-274-dell-emc-data-domain-security-update-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228" }, { "category": "external", "summary": "EMC Security Advisory DSA-2021-309 vom 2022-01-09", "url": "https://www.dell.com/support/kbdoc/de-de/000194651/dsa-2021-309-dell-emc-dpa-security-update-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228" }, { "category": "external", "summary": "EMC Security Advisory DSA-2021-277 vom 2022-01-09", "url": "https://www.dell.com/support/kbdoc/de-de/000194480/dsa-2021-277-dell-emc-avamar-update-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228" }, { "category": "external", "summary": "HPE Security Bulletin HPESBGN04215 rev.10 vom 2022-01-08", "url": "https://support.hpe.com/hpesc/public/docDisplay?elq_mid=17739\u0026elq_cid=67018031\u0026docId=hpesbgn04215en_us" }, { "category": "external", "summary": "IBM Security Bulletin 6539408 vom 2022-01-11", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affect-the-ibm-websphere-application-server-and-ibm-security-guardium-key-lifecycle-manager-cve-2021-4104-cve-2021-45046-cve-2021-45105/" }, { "category": "external", "summary": "IBM Security Bulletin 6538896 vom 2022-01-12", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-blockchain-bridge-dependencies-are-vulnerable-to-an-issue-in-apache-log4j-cve-2021-45105/" }, { "category": "external", "summary": "Juniper Security Bulletin JSA11287 vom 2022-01-12", "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11287\u0026cat=SIRT_1" }, { "category": "external", "summary": "SoapUI Release 5.6.1", "url": "https://www.soapui.org/downloads/latest-release/release-history/" }, { "category": "external", "summary": "JobScheduler Vulnerability Release 2.2.1 vom 2022-01-11", "url": "https://kb.sos-berlin.com/display/PKB/Vulnerability+Release+2.2.1" }, { "category": "external", "summary": "IBM Security Bulletin 6540542 vom 2022-01-14", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-business-automation-workflow-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-and-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Advisory", "url": "https://www.ibm.com/support/pages/node/6541182" }, { "category": "external", "summary": "IBM Security Bulletin 6541258 vom 2022-01-18", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-software-architect-realtime-edition-rsa-rt-is-is-vulnerable-to-arbitrary-code-execution-and-denial-of-service-due-to-apache-log4j-cve-2021-44228-cve-2021-45046-and/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0203 vom 2022-01-20", "url": "https://access.redhat.com/errata/RHSA-2022:0203" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0223 vom 2022-01-21", "url": "https://access.redhat.com/errata/RHSA-2022:0223" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0083 vom 2022-01-20", "url": "https://access.redhat.com/errata/RHSA-2022:0083" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0205 vom 2022-01-20", "url": "https://access.redhat.com/errata/RHSA-2022:0205" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0216 vom 2022-01-20", "url": "https://access.redhat.com/errata/RHSA-2022:0216" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0222 vom 2022-01-21", "url": "https://access.redhat.com/errata/RHSA-2022:0222" }, { "category": "external", "summary": "IBM Security Bulletin 6549764 vom 2022-01-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6550462 vom 2022-01-25", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6551118 vom 2022-01-27", "url": "https://www.ibm.com/blogs/psirt/security-bulletinibm-db2-on-openshift-and-ibm-db2-and-db2-warehouse-on-cloud-pak-for-data-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache/" }, { "category": "external", "summary": "IBM Security Bulletin 6551310 vom 2022-01-28", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-omnibus-common-integration-libraries-is-vulnerable-to-arbitrary-code-execution-and-denial-of-service-due-to-apache-log4j-cve-2021-44228-cve-2021-45046-cve-2021/" }, { "category": "external", "summary": "EMC Security Advisory DSA-2019-079 vom 2022-01-28", "url": "https://www.dell.com/support/kbdoc/de-de/000194054/dsa-2019-079" }, { "category": "external", "summary": "IBM Security Bulletin 6551390 vom 2022-01-28", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-network-manager-ip-edition-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-and-cve-2021-45046/" }, { "category": "external", "summary": "IBM Security Bulletin 6552546 vom 2022-02-02", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-netcool-omnibus-installation-contains-vulnerable-apache-log4j-code-cve-2021-44832-cve-2021-45046-cve-2021-45105/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0431 vom 2022-02-03", "url": "https://access.redhat.com/errata/RHSA-2022:0431" }, { "category": "external", "summary": "HCL Article KB0097471 vom 2022-05-18", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097471" }, { "category": "external", "summary": "IBM Security Bulletin 6565401 vom 2022-03-23", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-is-vulnerable-to-arbitrary-code-execution-and-denial-of-service-due-to-apache-log4j-cve-2021-45046-cve-2021-45105/" }, { "category": "external", "summary": "HCL Article KB0097299 vom 2022-03-23", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097299" }, { "category": "external", "summary": "HCL Article KB0097470 vom 2022-03-25", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097470" }, { "category": "external", "summary": "HCL Article KB0096807 vom 2022-03-29", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0096807" }, { "category": "external", "summary": "IBM Security Bulletin 6568843 vom 2022-04-02", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-server-in-cloud-pak-for-data-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1299 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1296 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1297 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "external", "summary": "IBM Security Bulletin 6572685 vom 2022-04-16", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-server-is-vulnerable-to-denial-of-service-cve-2021-45105-and-remote-code-execution-cve-2021-45046-due-to-apache-log4j/" }, { "category": "external", "summary": "HCL Article KB0097650 vom 2022-04-23", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097650" }, { "category": "external", "summary": "HCL Article KB0097639 vom 2022-04-23", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097639" }, { "category": "external", "summary": "AVAYA Security Advisory ASA-2022-001 vom 2022-04-25", "url": "https://downloads.avaya.com/css/P8/documents/101081576" }, { "category": "external", "summary": "HCL Article KB0097787 vom 2022-04-28", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097787" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2022-1601 vom 2022-06-15", "url": "https://alas.aws.amazon.com/ALAS-2022-1601.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2022-1806 vom 2022-06-15", "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1806.html" }, { "category": "external", "summary": "HCL Article KB0099131 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099131" }, { "category": "external", "summary": "HCL Article KB0099671 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099671" }, { "category": "external", "summary": "HCL Article KB0099128 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099128" }, { "category": "external", "summary": "HCL Article KB0099667 vom 2022-08-13", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099667" }, { "category": "external", "summary": "HCL Article KB0099669 vom 2022-08-13", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099669" }, { "category": "external", "summary": "HCL Article KB0100505 vom 2022-09-21", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0100505" } ], "source_lang": "en-US", "title": "Apache log4j: Schwachstelle erm\u00f6glicht Codeausf\u00fchrung", "tracking": { "current_release_date": "2022-12-11T23:00:00.000+00:00", "generator": { "date": "2024-02-15T16:48:51.756+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2022-0352", "initial_release_date": "2021-12-14T23:00:00.000+00:00", "revision_history": [ { "date": "2021-12-14T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2021-12-15T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von HCL, Red Hat, Ubuntu, Amazon und IBM aufgenommen" }, { "date": "2021-12-16T23:00:00.000+00:00", "number": "3", "summary": "Anpassung auf Codeausf\u00fchrung, Hinweis auf Ausnutzung, neue Updates und betroffene Produkte aufgenommen" }, { "date": "2021-12-19T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Amazon, IBM, HCL und Citrix aufgenommen" }, { "date": "2021-12-20T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von IBM und NetApp aufgenommen" }, { "date": "2021-12-21T23:00:00.000+00:00", "number": "6", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2021-12-22T23:00:00.000+00:00", "number": "7", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2021-12-23T23:00:00.000+00:00", "number": "8", "summary": "Neue Updates von WIBU-SYSTEMS aufgenommen" }, { "date": "2021-12-26T23:00:00.000+00:00", "number": "9", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2021-12-27T23:00:00.000+00:00", "number": "10", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-02T23:00:00.000+00:00", "number": "11", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-03T23:00:00.000+00:00", "number": "12", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-05T23:00:00.000+00:00", "number": "13", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-06T23:00:00.000+00:00", "number": "14", "summary": "Neue Updates von IBM und Cisco aufgenommen" }, { "date": "2022-01-09T23:00:00.000+00:00", "number": "15", "summary": "Neue Updates von EMC und HP aufgenommen" }, { "date": "2022-01-10T23:00:00.000+00:00", "number": "16", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-11T23:00:00.000+00:00", "number": "17", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-12T23:00:00.000+00:00", "number": "18", "summary": "Neue Updates von Juniper, SmartBear und SOS GmbH aufgenommen" }, { "date": "2022-01-13T23:00:00.000+00:00", "number": "19", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-16T23:00:00.000+00:00", "number": "20", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-17T23:00:00.000+00:00", "number": "21", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-19T23:00:00.000+00:00", "number": "22", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-01-20T23:00:00.000+00:00", "number": "23", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-01-23T23:00:00.000+00:00", "number": "24", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-24T23:00:00.000+00:00", "number": "25", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-26T23:00:00.000+00:00", "number": "26", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-27T23:00:00.000+00:00", "number": "27", "summary": "Neue Updates von IBM und EMC aufgenommen" }, { "date": "2022-02-01T23:00:00.000+00:00", "number": "28", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-02-03T23:00:00.000+00:00", "number": "29", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-03-22T23:00:00.000+00:00", "number": "30", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-03-24T23:00:00.000+00:00", "number": "31", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-03-29T22:00:00.000+00:00", "number": "32", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-04-03T22:00:00.000+00:00", "number": "33", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-04-11T22:00:00.000+00:00", "number": "34", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-04-18T22:00:00.000+00:00", "number": "35", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-04-24T22:00:00.000+00:00", "number": "36", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-04-26T22:00:00.000+00:00", "number": "37", "summary": "Neue Updates von AVAYA aufgenommen" }, { "date": "2022-04-27T22:00:00.000+00:00", "number": "38", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-05-17T22:00:00.000+00:00", "number": "39", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-06-16T22:00:00.000+00:00", "number": "40", "summary": "Neue Updates von Amazon aufgenommen" }, { "date": "2022-07-24T22:00:00.000+00:00", "number": "41", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-08-14T22:00:00.000+00:00", "number": "42", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-09-20T22:00:00.000+00:00", "number": "43", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-12-11T23:00:00.000+00:00", "number": "44", "summary": "Neue Updates von Amazon aufgenommen" } ], "status": "final", "version": "44" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "398363", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "category": "product_name", "name": "Apache Solr", "product": { "name": "Apache Solr", "product_id": "T021248", "product_identification_helper": { "cpe": "cpe:/a:apache:solr:-" } } }, { "branches": [ { "category": "product_name", "name": "Apache log4j \u003c 2.12.2", "product": { "name": "Apache log4j \u003c 2.12.2", "product_id": "T021307", "product_identification_helper": { "cpe": "cpe:/a:apache:log4j:2.12.2" } } }, { "category": "product_name", "name": "Apache log4j \u003c 2.16.0", "product": { "name": "Apache log4j \u003c 2.16.0", "product_id": "T021308", "product_identification_helper": { "cpe": "cpe:/a:apache:log4j:2.16.0" } } }, { "category": "product_name", "name": "Apache log4j \u003c 2.3.1", "product": { "name": "Apache log4j \u003c 2.3.1", "product_id": "T021413", "product_identification_helper": { "cpe": "cpe:/a:apache:log4j:2.3.1" } } }, { "category": "product_name", "name": "Apache log4j \u003c 2.12.3", "product": { "name": "Apache log4j \u003c 2.12.3", "product_id": "T021414", "product_identification_helper": { "cpe": "cpe:/a:apache:log4j:2.12.3" } } } ], "category": "product_name", "name": "log4j" } ], "category": "vendor", "name": "Apache" }, { "branches": [ { "category": "product_name", "name": "Avaya Analytics", "product": { "name": "Avaya Analytics", "product_id": "T021375", "product_identification_helper": { "cpe": "cpe:/a:avaya:analytics:-" } } }, { "category": "product_name", "name": "Avaya Aura Application Enablement Services", "product": { "name": "Avaya Aura Application Enablement Services", "product_id": "T015516", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_application_enablement_services:-" } } }, { "category": "product_name", "name": "Avaya Aura Device Services", "product": { "name": "Avaya Aura Device Services", "product_id": "T015517", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_device_services:-" } } }, { "category": "product_name", "name": "Avaya Aura Media Server", "product": { "name": "Avaya Aura Media Server", "product_id": "1017", "product_identification_helper": { "cpe": "cpe:/a:avaya:media_server:-" } } }, { "category": "product_name", "name": "Avaya Aura Session Manager", "product": { "name": "Avaya Aura Session Manager", "product_id": "T015127", "product_identification_helper": { "cpe": "cpe:/a:avaya:session_manager:-" } } }, { "category": "product_name", "name": "Avaya Aura System Manager", "product": { "name": "Avaya Aura System Manager", "product_id": "T015518", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_system_manager:-" } } }, { "category": "product_name", "name": "Avaya Aura Web Gateway", "product": { "name": "Avaya Aura Web Gateway", "product_id": "T021376", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_web_gateway:-" } } }, { "category": "product_name", "name": "Avaya Breeze Platform", "product": { "name": "Avaya Breeze Platform", "product_id": "T015823", "product_identification_helper": { "cpe": "cpe:/a:avaya:breeze_platform:-" } } }, { "category": "product_name", "name": "Avaya Oceana", "product": { "name": "Avaya Oceana", "product_id": "T016589", "product_identification_helper": { "cpe": "cpe:/a:avaya:oceana:-" } } }, { "category": "product_name", "name": "Avaya Session Border Controller", "product": { "name": "Avaya Session Border Controller", "product_id": "T015520", "product_identification_helper": { "cpe": "cpe:/h:avaya:session_border_controller:-" } } } ], "category": "vendor", "name": "Avaya" }, { "branches": [ { "category": "product_name", "name": "Cisco Application Policy Infrastructure Controller", "product": { "name": "Cisco Application Policy Infrastructure Controller", "product_id": "778219", "product_identification_helper": { "cpe": "cpe:/a:cisco:application_policy_infrastructure_controller:-" } } }, { "category": "product_name", "name": "Cisco Emergency Responder (ER)", "product": { "name": "Cisco Emergency Responder (ER)", "product_id": "2040", "product_identification_helper": { "cpe": "cpe:/a:cisco:emergency_responder:-" } } }, { "category": "product_name", "name": "Cisco Finesse", "product": { "name": "Cisco Finesse", "product_id": "199167", "product_identification_helper": { "cpe": "cpe:/a:cisco:finesse:-" } } }, { "category": "product_name", "name": "Cisco Firepower", "product": { "name": "Cisco Firepower", "product_id": "T011337", "product_identification_helper": { "cpe": "cpe:/a:cisco:firepower:-" } } }, { "category": "product_name", "name": "Cisco Identity Services Engine (ISE)", "product": { "name": "Cisco Identity Services Engine (ISE)", "product_id": "T000612", "product_identification_helper": { "cpe": "cpe:/a:cisco:identity_services_engine_software:-" } } }, { "category": "product_name", "name": "Cisco Integrated Management Controller", "product": { "name": "Cisco Integrated Management Controller", "product_id": "T014392", "product_identification_helper": { "cpe": "cpe:/a:cisco:integrated_management_controller:-" } } }, { "category": "product_name", "name": "Cisco Network Services Orchestrator", "product": { "name": "Cisco Network Services Orchestrator", "product_id": "T021358", "product_identification_helper": { "cpe": "cpe:/a:cisco:network_services_orchestrator:-" } } }, { "category": "product_name", "name": "Cisco Nexus", "product": { "name": "Cisco Nexus", "product_id": "T013714", "product_identification_helper": { "cpe": "cpe:/h:cisco:nexus:-" } } }, { "category": "product_name", "name": "Cisco SD-WAN", "product": { "name": "Cisco SD-WAN", "product_id": "T015770", "product_identification_helper": { "cpe": "cpe:/a:cisco:sd_wan:-" } } }, { "branches": [ { "category": "product_name", "name": "Cisco Unified Communications Manager (CUCM)", "product": { "name": "Cisco Unified Communications Manager (CUCM)", "product_id": "2142", "product_identification_helper": { "cpe": "cpe:/a:cisco:unified_communications_manager:-" } } }, { "category": "product_name", "name": "Cisco Unified Communications Manager (CUCM) Session Management Edition", "product": { "name": "Cisco Unified Communications Manager (CUCM) Session Management Edition", "product_id": "T016315", "product_identification_helper": { "cpe": "cpe:/a:cisco:unified_communications_manager:session_management_edition" } } } ], "category": "product_name", "name": "Unified Communications Manager (CUCM)" }, { "category": "product_name", "name": "Cisco Unified Communications Manager IM \u0026 Presence Service", "product": { "name": "Cisco Unified Communications Manager IM \u0026 Presence Service", "product_id": "915287", "product_identification_helper": { "cpe": "cpe:/a:cisco:unified_communications_manager_im_and_presence_service:-" } } }, { "category": "product_name", "name": "Cisco Unified Computing System (UCS)", "product": { "name": "Cisco Unified Computing System (UCS)", "product_id": "163824", "product_identification_helper": { "cpe": "cpe:/h:cisco:unified_computing_system:-" } } }, { "category": "product_name", "name": "Cisco Unified Contact Center Enterprise", "product": { "name": "Cisco Unified Contact Center Enterprise", "product_id": "2143", "product_identification_helper": { "cpe": "cpe:/a:cisco:unified_contact_center_enterprise:-" } } }, { "category": "product_name", "name": "Cisco Unified Contact Center Express (UCCX)", "product": { "name": "Cisco Unified Contact Center Express (UCCX)", "product_id": "915286", "product_identification_helper": { "cpe": "cpe:/a:cisco:unified_contact_center_express:-" } } }, { "category": "product_name", "name": "Cisco Unified Intelligence Center", "product": { "name": "Cisco Unified Intelligence Center", "product_id": "T018811", "product_identification_helper": { "cpe": "cpe:/a:cisco:unified_intelligence_center:-" } } }, { "category": "product_name", "name": "Cisco Unity Connection", "product": { "name": "Cisco Unity Connection", "product_id": "T002044", "product_identification_helper": { "cpe": "cpe:/a:cisco:unity_connection:-" } } }, { "category": "product_name", "name": "Cisco Video Surveillance Operations Manager", "product": { "name": "Cisco Video Surveillance Operations Manager", "product_id": "196088", "product_identification_helper": { "cpe": "cpe:/a:cisco:video_surveillance_operations_manager:-" } } }, { "category": "product_name", "name": "Cisco WebEx Meetings Server", "product": { "name": "Cisco WebEx Meetings Server", "product_id": "T001160", "product_identification_helper": { "cpe": "cpe:/a:cisco:webex_meetings_server:-" } } } ], "category": "vendor", "name": "Cisco" }, { "branches": [ { "category": "product_name", "name": "Citrix Systems Virtual Apps and Desktops", "product": { "name": "Citrix Systems Virtual Apps and Desktops", "product_id": "876876", "product_identification_helper": { "cpe": "cpe:/a:citrix:virtual_apps_and_desktops:-::~~-~~~" } } } ], "category": "vendor", "name": "Citrix Systems" }, { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Dell Data Protection Advisor", "product": { "name": "Dell Data Protection Advisor", "product_id": "T021498", "product_identification_helper": { "cpe": "cpe:/a:dell:data_protection_advisor:-" } } } ], "category": "vendor", "name": "Dell" }, { "branches": [ { "category": "product_name", "name": "EMC Avamar", "product": { "name": "EMC Avamar", "product_id": "T014381", "product_identification_helper": { "cpe": "cpe:/a:emc:avamar:-" } } }, { "category": "product_name", "name": "EMC Data Domain", "product": { "name": "EMC Data Domain", "product_id": "T021496", "product_identification_helper": { "cpe": "cpe:/o:emc:data_domain:-" } } }, { "category": "product_name", "name": "EMC Data Domain OS", "product": { "name": "EMC Data Domain OS", "product_id": "T006099", "product_identification_helper": { "cpe": "cpe:/o:emc:data_domain_os:-" } } } ], "category": "vendor", "name": "EMC" }, { "branches": [ { "category": "product_name", "name": "F-Secure Policy Manager", "product": { "name": "F-Secure Policy Manager", "product_id": "T021242", "product_identification_helper": { "cpe": "cpe:/a:f-secure:policy_manager:-" } } } ], "category": "vendor", "name": "F-Secure" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "HCL Commerce", "product": { "name": "HCL Commerce", "product_id": "T019293", "product_identification_helper": { "cpe": "cpe:/a:hcltechsw:commerce:-" } } }, { "category": "product_name", "name": "HCL Commerce Big SQL", "product": { "name": "HCL Commerce Big SQL", "product_id": "T019294", "product_identification_helper": { "cpe": "cpe:/a:hcltechsw:commerce:-" } } } ], "category": "product_name", "name": "Commerce" }, { "category": "product_name", "name": "HCL Domino", "product": { "name": "HCL Domino", "product_id": "777623", "product_identification_helper": { "cpe": "cpe:/a:hcltech:domino:-" } } }, { "category": "product_name", "name": "HCL Notes", "product": { "name": "HCL Notes", "product_id": "763192", "product_identification_helper": { "cpe": "cpe:/a:hcltech:notes:9.0" } } } ], "category": "vendor", "name": "HCL" }, { "branches": [ { "category": "product_name", "name": "IBM Business Automation Workflow", "product": { "name": "IBM Business Automation Workflow", "product_id": "T019704", "product_identification_helper": { "cpe": "cpe:/a:ibm:business_automation_workflow:-" } } }, { "branches": [ { "category": "product_name", "name": "IBM DB2", "product": { "name": "IBM DB2", "product_id": "5104", "product_identification_helper": { "cpe": "cpe:/a:ibm:db2:-" } } }, { "category": "product_name", "name": "IBM DB2 Big SQL", "product": { "name": "IBM DB2 Big SQL", "product_id": "T022379", "product_identification_helper": { "cpe": "cpe:/a:ibm:db2:big_sql" } } } ], "category": "product_name", "name": "DB2" }, { "branches": [ { "category": "product_name", "name": "IBM MQ", "product": { "name": "IBM MQ", "product_id": "T021398", "product_identification_helper": { "cpe": "cpe:/a:ibm:mq:-" } } }, { "category": "product_name", "name": "IBM MQ Blockchain Bridge", "product": { "name": "IBM MQ Blockchain Bridge", "product_id": "T021543", "product_identification_helper": { "cpe": "cpe:/a:ibm:mq:::blockchain_bridge" } } } ], "category": "product_name", "name": "MQ" }, { "category": "product_name", "name": "IBM QRadar SIEM", "product": { "name": "IBM QRadar SIEM", "product_id": "T021415", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:-" } } }, { "category": "product_name", "name": "IBM Rational Software Architect", "product": { "name": "IBM Rational Software Architect", "product_id": "T005181", "product_identification_helper": { "cpe": "cpe:/a:ibm:rational_software_architect:-" } } }, { "category": "product_name", "name": "IBM SPSS", "product": { "name": "IBM SPSS", "product_id": "T013570", "product_identification_helper": { "cpe": "cpe:/a:ibm:spss:-" } } }, { "branches": [ { "category": "product_name", "name": "IBM Security Guardium", "product": { "name": "IBM Security Guardium", "product_id": "T021345", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_guardium:-" } } }, { "category": "product_name", "name": "IBM Security Guardium Insights", "product": { "name": "IBM Security Guardium Insights", "product_id": "T021405", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_guardium:::insights" } } } ], "category": "product_name", "name": "Security Guardium" }, { "category": "product_name", "name": "IBM Spectrum Protect", "product": { "name": "IBM Spectrum Protect", "product_id": "T013661", "product_identification_helper": { "cpe": "cpe:/a:ibm:spectrum_protect:-" } } }, { "category": "product_name", "name": "IBM Spectrum Scale", "product": { "name": "IBM Spectrum Scale", "product_id": "T019402", "product_identification_helper": { "cpe": "cpe:/a:ibm:spectrum_scale:-" } } }, { "category": "product_name", "name": "IBM Tivoli Netcool/OMNIbus", "product": { "name": "IBM Tivoli Netcool/OMNIbus", "product_id": "T004181", "product_identification_helper": { "cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:-" } } }, { "category": "product_name", "name": "IBM WebSphere Application Server", "product": { "name": "IBM WebSphere Application Server", "product_id": "5198", "product_identification_helper": { "cpe": "cpe:/a:ibm:websphere_application_server:-" } } } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "category": "product_name", "name": "Juniper Junos Space", "product": { "name": "Juniper Junos Space", "product_id": "T003343", "product_identification_helper": { "cpe": "cpe:/a:juniper:junos_space:-" } } } ], "category": "vendor", "name": "Juniper" }, { "branches": [ { "category": "product_name", "name": "NetApp ActiveIQ Unified Manager", "product": { "name": "NetApp ActiveIQ Unified Manager", "product_id": "T016960", "product_identification_helper": { "cpe": "cpe:/a:netapp:active_iq_unified_manager:-" } } } ], "category": "vendor", "name": "NetApp" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SOS GmbH JobScheduler", "product": { "name": "SOS GmbH JobScheduler", "product_id": "T021263", "product_identification_helper": { "cpe": "cpe:/a:sos_gmbh:jobscheduler:-" } } } ], "category": "vendor", "name": "SOS GmbH" }, { "branches": [ { "category": "product_name", "name": "SmartBear SoapUI", "product": { "name": "SmartBear SoapUI", "product_id": "T021577", "product_identification_helper": { "cpe": "cpe:/a:smartbear:soapui:-" } } } ], "category": "vendor", "name": "SmartBear" }, { "branches": [ { "category": "product_name", "name": "TIBCO Spotfire", "product": { "name": "TIBCO Spotfire", "product_id": "T009185", "product_identification_helper": { "cpe": "cpe:/a:tibco:spotfire:-" } } }, { "category": "product_name", "name": "TIBCO Spotfire Statistics Services", "product": { "name": "TIBCO Spotfire Statistics Services", "product_id": "T021366", "product_identification_helper": { "cpe": "cpe:/a:tibco:spotfire_statistics_services:-" } } } ], "category": "vendor", "name": "TIBCO" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" }, { "branches": [ { "category": "product_name", "name": "Unify OpenScape Contact Center", "product": { "name": "Unify OpenScape Contact Center", "product_id": "T008876", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_contact_center:-" } } }, { "category": "product_name", "name": "Unify OpenScape Mediaserver", "product": { "name": "Unify OpenScape Mediaserver", "product_id": "T018253", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_mediaserver:-" } } }, { "category": "product_name", "name": "Unify OpenScape UC Application", "product": { "name": "Unify OpenScape UC Application", "product_id": "T015712", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_uc_application:-" } } }, { "category": "product_name", "name": "Unify OpenScape Voice", "product": { "name": "Unify OpenScape Voice", "product_id": "T008873", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_voice:-" } } } ], "category": "vendor", "name": "Unify" }, { "branches": [ { "category": "product_name", "name": "VMware Carbon Black Cloud Workload", "product": { "name": "VMware Carbon Black Cloud Workload", "product_id": "950382", "product_identification_helper": { "cpe": "cpe:/a:vmware:carbon_black_cloud_workload:-" } } }, { "category": "product_name", "name": "VMware Cloud Director Object Storage Extension", "product": { "name": "VMware Cloud Director Object Storage Extension", "product_id": "T021402", "product_identification_helper": { "cpe": "cpe:/a:vmware:cloud_director:object_storage_extension" } } }, { "category": "product_name", "name": "VMware Cloud Foundation", "product": { "name": "VMware Cloud Foundation", "product_id": "658718", "product_identification_helper": { "cpe": "cpe:/a:vmware:cloud_foundation:-" } } }, { "category": "product_name", "name": "VMware Horizon", "product": { "name": "VMware Horizon", "product_id": "T021252", "product_identification_helper": { "cpe": "cpe:/a:vmware:horizon:-" } } }, { "category": "product_name", "name": "VMware Identity Manager", "product": { "name": "VMware Identity Manager", "product_id": "T021253", "product_identification_helper": { "cpe": "cpe:/a:vmware:identity_manger:-" } } }, { "category": "product_name", "name": "VMware NSX Data Center for vSphere", "product": { "name": "VMware NSX Data Center for vSphere", "product_id": "393634", "product_identification_helper": { "cpe": "cpe:/a:vmware:nsx_data_center:-" } } }, { "category": "product_name", "name": "VMware SD-WAN by VeloCloud", "product": { "name": "VMware SD-WAN by VeloCloud", "product_id": "T021403", "product_identification_helper": { "cpe": "cpe:/a:vmware:sd-wan_by_velocloud:-" } } }, { "branches": [ { "category": "product_name", "name": "VMware Workspace One Access Connector", "product": { "name": "VMware Workspace One Access Connector", "product_id": "T021254", "product_identification_helper": { "cpe": "cpe:/a:vmware:workspace_one_access:::connector" } } }, { "category": "product_name", "name": "VMware Workspace One Access", "product": { "name": "VMware Workspace One Access", "product_id": "T021255", "product_identification_helper": { "cpe": "cpe:/a:vmware:workspace_one_access:-" } } } ], "category": "product_name", "name": "Workspace One Access" }, { "category": "product_name", "name": "VMware vCenter Server", "product": { "name": "VMware vCenter Server", "product_id": "T012302", "product_identification_helper": { "cpe": "cpe:/a:vmware:vcenter_server:-" } } }, { "category": "product_name", "name": "VMware vRealize Log Insight", "product": { "name": "VMware vRealize Log Insight", "product_id": "T021256", "product_identification_helper": { "cpe": "cpe:/a:vmware:vcenter_log_insight:-" } } }, { "branches": [ { "category": "product_name", "name": "VMware vRealize Operations", "product": { "name": "VMware vRealize Operations", "product_id": "T021257", "product_identification_helper": { "cpe": "cpe:/a:vmware:vrealize_operations:-" } } }, { "category": "product_name", "name": "VMware vRealize Operations Cloud Proxy", "product": { "name": "VMware vRealize Operations Cloud Proxy", "product_id": "T021404", "product_identification_helper": { "cpe": "cpe:/a:vmware:vrealize_operations:::cloud_proxy" } } } ], "category": "product_name", "name": "vRealize Operations" } ], "category": "vendor", "name": "VMware" }, { "branches": [ { "category": "product_name", "name": "Wibu-Systems CodeMeter", "product": { "name": "Wibu-Systems CodeMeter", "product_id": "812997", "product_identification_helper": { "cpe": "cpe:/a:wibu:codemeter:-" } } } ], "category": "vendor", "name": "Wibu-Systems" }, { "branches": [ { "category": "product_name", "name": "TIBCO Managed File Transfer", "product": { "name": "TIBCO Managed File Transfer", "product_id": "T021367", "product_identification_helper": { "cpe": "cpe:/a:tibco:managed_file_transfer_internet_server:-" } } } ], "category": "vendor", "name": "tibco" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-45046", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Apache log4j, da die \"Log4Shell\" Schwachstelle (CVE-2021-44228) nicht vollst\u00e4ndig behoben wurde. JNDI Lookups sind weiterhin m\u00f6glich. Es sind bestimmte Konfigurationen betroffen, die nicht im Auslieferungszustand bestehen. Ein entfernter, anonymer Angreifer kann dies ausnutzen, um Code auszuf\u00fchren." } ], "product_status": { "known_affected": [ "T001160", "T008876", "T008873", "T003343", "T019294", "T015127", "T019293", "T015520", "T013661", "658718", "876876", "T021577", "1017", "T021257", "T014392", "T021256", "T021498", "T021415", "398363", "950382", "T021255", "T021376", "T021254", "T021375", "T021496", "T021253", "T006099", "T021252", "163824", "5198", "T015518", "T015517", "T015516", "T015712", "393634", "2040", "T016960", "T018253", "T013570", "T021345", "T021543", "T014381", "2951", "T018811", "T019704", "5104", "T004181", "196088", "777623", "T002044", "763192", "T021263", "67646", "T015823", "812997", "T016315", "T021358", "T000612", "T005181", "199167", "T009185", "T021398", "T013714", "T011337", "T012302", "2143", "2142", "T016589", "T015770", "T021248", "T021402", "T021367", "T019402", "T021366", "T021405", "T022379", "T000126", "T021404", "T021403", "778219", "915287", "915286", "T021242" ] }, "release_date": "2021-12-14T23:00:00Z", "title": "CVE-2021-45046" } ] }
wid-sec-w-2023-0063
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Junos Space ist eine Software-Plattform, die eine Reihe von Applikationen f\u00fcr das Netzwerkmanagement beinhaltet.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Juniper Junos Space ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern.", "title": "Angriff" }, { "category": "general", "text": "- Juniper Appliance", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0063 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2023-0063.json" }, { "category": "self", "summary": "WID-SEC-2023-0063 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0063" }, { "category": "external", "summary": "Juniper Security Advisory JSA70182 vom 2023-01-12", "url": "https://supportportal.juniper.net/s/article/2023-01-Security-Bulletin-Contrail-Service-Orchestration-Multiple-vulnerabilities-resolved-in-CSO-6-3-0?language=en_US" }, { "category": "external", "summary": "Juniper Security Advisory vom 2022-01-12", "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11287\u0026cat=SIRT_1" } ], "source_lang": "en-US", "title": "Juniper Junos Space: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-01-11T23:00:00.000+00:00", "generator": { "date": "2024-02-15T17:09:11.163+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0063", "initial_release_date": "2022-01-12T23:00:00.000+00:00", "revision_history": [ { "date": "2022-01-12T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-01-11T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Juniper aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Juniper Contrail Service Orchestration", "product": { "name": "Juniper Contrail Service Orchestration", "product_id": "T025794", "product_identification_helper": { "cpe": "cpe:/a:juniper:contrail_service_orchestration:-" } } }, { "category": "product_name", "name": "Juniper Junos Space \u003c 21.3R1", "product": { "name": "Juniper Junos Space \u003c 21.3R1", "product_id": "T021576", "product_identification_helper": { "cpe": "cpe:/a:juniper:junos_space:21.3r1" } } } ], "category": "vendor", "name": "Juniper" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17543", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2019-17543" }, { "cve": "CVE-2019-20934", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2019-20934" }, { "cve": "CVE-2020-0543", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-0543" }, { "cve": "CVE-2020-0548", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-0548" }, { "cve": "CVE-2020-0549", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-0549" }, { "cve": "CVE-2020-11022", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-11022" }, { "cve": "CVE-2020-11023", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-11023" }, { "cve": "CVE-2020-11668", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-11668" }, { "cve": "CVE-2020-11984", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-11984" }, { "cve": "CVE-2020-11993", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-11993" }, { "cve": "CVE-2020-12362", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-12362" }, { "cve": "CVE-2020-12363", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-12363" }, { "cve": "CVE-2020-12364", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-12364" }, { "cve": "CVE-2020-1927", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-1927" }, { "cve": "CVE-2020-1934", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-1934" }, { "cve": "CVE-2020-24489", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-24489" }, { "cve": "CVE-2020-24511", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-24511" }, { "cve": "CVE-2020-24512", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-24512" }, { "cve": "CVE-2020-27170", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-27170" }, { "cve": "CVE-2020-27777", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-27777" }, { "cve": "CVE-2020-29443", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-29443" }, { "cve": "CVE-2020-8625", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-8625" }, { "cve": "CVE-2020-8648", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-8648" }, { "cve": "CVE-2020-8695", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-8695" }, { "cve": "CVE-2020-8696", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-8696" }, { "cve": "CVE-2020-8698", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-8698" }, { "cve": "CVE-2020-9490", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-9490" }, { "cve": "CVE-2021-20254", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-20254" }, { "cve": "CVE-2021-22555", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-22555" }, { "cve": "CVE-2021-22901", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-22901" }, { "cve": "CVE-2021-2341", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2341" }, { "cve": "CVE-2021-2342", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2342" }, { "cve": "CVE-2021-2356", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2356" }, { "cve": "CVE-2021-2369", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2369" }, { "cve": "CVE-2021-2372", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2372" }, { "cve": "CVE-2021-2385", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2385" }, { "cve": "CVE-2021-2388", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2388" }, { "cve": "CVE-2021-2389", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2389" }, { "cve": "CVE-2021-2390", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2390" }, { "cve": "CVE-2021-25214", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-25214" }, { "cve": "CVE-2021-25217", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-25217" }, { "cve": "CVE-2021-27219", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-27219" }, { "cve": "CVE-2021-29154", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-29154" }, { "cve": "CVE-2021-29650", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-29650" }, { "cve": "CVE-2021-31535", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-31535" }, { "cve": "CVE-2021-32399", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-32399" }, { "cve": "CVE-2021-33033", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-33033" }, { "cve": "CVE-2021-33034", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-33034" }, { "cve": "CVE-2021-3347", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-3347" }, { "cve": "CVE-2021-33909", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-33909" }, { "cve": "CVE-2021-3653", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-3653" }, { "cve": "CVE-2021-3656", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-3656" }, { "cve": "CVE-2021-3715", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-3715" }, { "cve": "CVE-2021-37576", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-37576" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-42550", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-42550" }, { "cve": "CVE-2021-44228", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-44228" }, { "cve": "CVE-2021-45046", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-45046" } ] }
ghsa-7rjr-3q55-vv33
Vulnerability from github
Impact
The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.
Affected packages
Only the org.apache.logging.log4j:log4j-core
package is directly affected by this vulnerability. The org.apache.logging.log4j:log4j-api
should be kept at the same version as the org.apache.logging.log4j:log4j-core
package to ensure compatability if in use.
Mitigation
Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (< 2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.formatMsgNoLookups
to true
do NOT mitigate this specific vulnerability.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-core" }, "ranges": [ { "events": [ { "introduced": "2.13.0" }, { "fixed": "2.16.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-core" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.12.2" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-45046" ], "database_specific": { "cwe_ids": [ "CWE-502", "CWE-917" ], "github_reviewed": true, "github_reviewed_at": "2021-12-14T17:55:00Z", "nvd_published_at": "2021-12-14T19:15:00Z", "severity": "CRITICAL" }, "details": "# Impact\n\nThe fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack. \n\n## Affected packages\nOnly the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.\n\n# Mitigation\n\nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (\u003c 2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).\n\nLog4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.formatMsgNoLookups` to `true` do NOT mitigate this specific vulnerability.", "id": "GHSA-7rjr-3q55-vv33", "modified": "2024-06-27T21:36:30Z", "published": "2021-12-14T18:01:28Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "type": "WEB", "url": "https://www.kb.cert.org/vuls/id/930724" }, { "type": "WEB", "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-5022" }, { "type": "WEB", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "type": "WEB", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202310-16" }, { "type": "WEB", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032" }, { "type": "WEB", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Incomplete fix for Apache Log4j vulnerability" }
gsd-2021-45046
Vulnerability from gsd
{ "GSD": { "affected_component": "unspecified", "alias": "CVE-2021-45046", "attack_vector": "network", "credit": "", "description": "The vulnerability reported in GSD-2021-1002352 (CVE-2021-44228) was not correctly fixed \"in certain non-default configuration\" and a new vulnerability and patch have been released, as such Apache log4js 2.15 is vulnerable. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (\u003c2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "id": "GSD-2021-45046", "impact": "remote code execution", "modified": "2022-09-03T22:57:05Z", "notes": "", "product_name": [ "Log4j", "Log4j2" ], "product_version": "\u003c2.16.0", "references": [ { "name": "https://github.com/logpresso/CVE-2021-44228-Scanner", "type": "EVIDENCE", "url": "https://github.com/logpresso/CVE-2021-44228-Scanner" }, { "content": "Further development of this tool will continue at corretto/hotpatch-for-apache-log4j2.", "name": "https://github.com/simonis/Log4jPatch", "type": "EVIDENCE", "url": "https://github.com/simonis/Log4jPatch" }, { "content": "This is a tool which injects a Java agent into a running JVM process. The agent will attempt to patch the lookup() method of all loaded org.apache.logging.log4j.core.lookup.JndiLookup instances to unconditionally return the string \"Patched JndiLookup::lookup()\". It is designed to address the CVE-2021-44228 remote code execution vulnerability in Log4j without restarting the Java process.", "name": "Log4jHotPatch", "type": "EVIDENCE", "url": "https://github.com/corretto/hotpatch-for-apache-log4j2" }, { "content": "A Byte Buddy Java agent-based fix for CVE-2021-44228, the log4j 2.x \"JNDI LDAP\" vulnerability.\n\nIt does three things:\n\n* Disables the internal method handler for jndi: format strings (\"lookups\").\n* Logs a message to System.err (i.e stderr) indicating that a log4j JNDI attempt has been made (including the format string attempted, with any ${} characters sanitized to prevent transitive injections).\n* Resolves the format string to \"(log4j jndi disabled)\" in the log message (to prevent transitive injections).", "name": "log4j-jndi-be-gone", "type": "EVIDENCE", "url": "https://github.com/nccgroup/log4j-jndi-be-gone" }, { "type": "ADVISORY", "url": "https://www.suse.com/security/cve/CVE-2021-45046.html" }, { "type": "ADVISORY", "url": "https://www.debian.org/security/2021/dsa-5022" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2022:0223" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2022:0222" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2022:0216" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2022:0205" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2022:0203" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2022:0083" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2021:5137" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2021:5129" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2021:5128" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2021:5127" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2021:5108" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2021:5106" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2021:5094" }, { "type": "ADVISORY", "url": "https://ubuntu.com/security/CVE-2021-45046" }, { "type": "ADVISORY", "url": "https://advisories.mageia.org/CVE-2021-45046.html" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "type": "ADVISORY", "url": "https://alas.aws.amazon.com/cve/html/CVE-2021-45046.html" }, "https://access.redhat.com/errata/RHSA-2022:0083" ], "reporter": "kurtseifried", "reporter_id": 582211, "vendor_name": "Apache", "vulnerability_type": "CWE-502 Deserialization of Untrusted Data" }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2021-45046" ], "details": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.", "id": "GSD-2021-45046", "modified": "2023-12-13T01:23:19.942088Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-45046", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Log4j", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "Apache Log4j2", "version_value": "2.16.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "problemtype": { "problemtype_data": [ { "description": [ { "cweId": "CWE-917", "lang": "eng", "value": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", "refsource": "MISC", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032" }, { "name": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "name": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "refsource": "MISC", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "http://www.openwall.com/lists/oss-security/2021/12/14/4", "refsource": "MISC", "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "name": "https://logging.apache.org/log4j/2.x/security.html", "refsource": "MISC", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "name": "https://www.kb.cert.org/vuls/id/930724", "refsource": "MISC", "url": "https://www.kb.cert.org/vuls/id/930724" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "refsource": "MISC", "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "refsource": "MISC", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "name": "http://www.openwall.com/lists/oss-security/2021/12/15/3", "refsource": "MISC", "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "name": "https://www.debian.org/security/2021/dsa-5022", "refsource": "MISC", "url": "https://www.debian.org/security/2021/dsa-5022" }, { "name": "http://www.openwall.com/lists/oss-security/2021/12/18/1", "refsource": "MISC", "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/", "refsource": "MISC", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/" }, { "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/", "refsource": "MISC", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "https://security.gentoo.org/glsa/202310-16", "refsource": "MISC", "url": "https://security.gentoo.org/glsa/202310-16" } ] }, "source": { "discovery": "UNKNOWN" } }, "gitlab.com": { "advisories": [ { "affected_range": "[2.0,2.3.1),[2.4,2.12.3),[2.13,2.16.0)", "affected_versions": "All versions starting from 2.0 before 2.3.1, all versions starting from 2.4 before 2.12.3, all versions starting from 2.13 before 2.16.0", "cvss_v2": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-917", "CWE-937" ], "date": "2023-06-27", "description": "It was found that the fix to address CVE-2021-44228 in Apache Log4j was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, `$${ctx:loginId})` or a Thread Context Map pattern (`%X`, `%mdc`, or `%MDC`) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (\u003c2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "fixed_versions": [ "2.3.1", "2.12.3", "2.16.0" ], "identifier": "CVE-2021-45046", "identifiers": [ "CVE-2021-45046" ], "not_impacted": "All versions before 2.0, all versions starting from 2.3.1 before 2.4, all versions starting from 2.12.3 before 2.13, all versions starting from 2.16.0", "package_slug": "maven/log4j/log4j", "pubdate": "2021-12-14", "solution": "Upgrade to versions 2.3.1, 2.12.3, 2.16.0 or above.", "title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "http://www.openwall.com/lists/oss-security/2021/12/14/4", "https://logging.apache.org/log4j/2.x/security.html" ], "uuid": "bdefae49-1896-4c8e-bba8-f2234bec5d78" }, { "affected_range": "(,0)", "affected_versions": "None", "cvss_v2": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-502", "CWE-78", "CWE-937" ], "date": "2022-02-08", "description": "This CVE has been marked as a False Positive and has been removed. Programs using log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "fixed_versions": [], "identifier": "CVE-2021-45046", "identifiers": [ "GHSA-7rjr-3q55-vv33", "CVE-2021-45046" ], "package_slug": "maven/org.apache.logging.log4j/log4j-api", "pubdate": "2021-12-14", "solution": "Nothing to be done.", "title": "Deserialization of Untrusted Data", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "https://logging.apache.org/log4j/2.x/security.html" ], "uuid": "a78ef337-2b3d-475c-9c66-a226d17bc057" }, { "affected_range": "[2.0,2.3.1),[2.4,2.12.3),[2.13,2.17.0)", "affected_versions": "All versions starting from 2.0 before 2.3.1, all versions starting from 2.4 before 2.12.3, all versions starting from 2.13 before 2.17.0", "cvss_v2": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-917", "CWE-937" ], "date": "2023-06-27", "description": "It was found that the fix to address CVE-2021-44228 in Apache Log4j was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, `$${ctx:loginId})` or a Thread Context Map pattern (`%X`, `%mdc`, or `%MDC`) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (\u003c2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "fixed_versions": [ "2.3.1", "2.12.3", "2.17.0" ], "identifier": "CVE-2021-45046", "identifiers": [ "CVE-2021-45046" ], "not_impacted": "All versions before 2.0, all versions starting from 2.3.1 before 2.4, all versions starting from 2.12.3 before 2.13, all versions starting from 2.17.0", "package_slug": "maven/org.apache.logging.log4j/log4j-core", "pubdate": "2021-12-14", "solution": "Upgrade to versions 2.3.1, 2.12.3, 2.17.0 or above.", "title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "http://www.openwall.com/lists/oss-security/2021/12/14/4", "https://logging.apache.org/log4j/2.x/security.html" ], "uuid": "788f3d07-b01c-41d3-b9f0-56693bb21ec8" }, { "affected_range": "[2.0,2.3.1),[2.4,2.12.3),[2.13,2.17.0)", "affected_versions": "All versions starting from 2.0 before 2.3.1, all versions starting from 2.4 before 2.12.3, all versions starting from 2.13 before 2.17.0", "cvss_v2": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-917", "CWE-937" ], "date": "2023-06-27", "description": "It was found that the fix to address CVE-2021-44228 in Apache Log4j was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, `$${ctx:loginId})` or a Thread Context Map pattern (`%X`, `%mdc`, or `%MDC`) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.", "fixed_versions": [ "2.3.1", "2.12.3", "2.17.0" ], "identifier": "CVE-2021-45046", "identifiers": [ "CVE-2021-45046" ], "not_impacted": "All versions before 2.0, all versions starting from 2.3.1 before 2.4, all versions starting from 2.12.3 before 2.13, all versions starting from 2.17.0", "package_slug": "maven/org.apache.logging.log4j/log4j", "pubdate": "2021-12-14", "solution": "Upgrade to versions 2.3.1, 2.12.3, 2.17.0 or above.", "title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "http://www.openwall.com/lists/oss-security/2021/12/14/4", "https://logging.apache.org/log4j/2.x/security.html" ], "uuid": "8cdf1573-c3e8-41dc-b775-f58e278f6da1" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.12.2", "versionStartIncluding": "2.0.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.16.0", "versionStartIncluding": "2.13.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:intel:oneapi:-:*:*:*:*:eclipse:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:datacenter_manager:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:system_debugger:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:system_studio:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:sppa-t3000_ses3000:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:siemens:logo\\!_soft_comfort:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_4:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "4.70", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip_prepay:3.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip_prepay:3.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_command:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "4.16.2.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:head-end_system_universal_device_integration_system:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:gma-manager:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "8.6.2j-398", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip:8.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip:8.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip:8.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energy_engage:3.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:e-car_operation_center:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-12-13", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_info_center:5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_info_center:5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:captial:2019.1:sp1912:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:navigator:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-12-13", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:xpedition_package_integrator:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:xpedition_enterprise:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:vesys:2019.1:sp1912:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:vesys:2019.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:vesys:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2019.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:vesys:2019.1:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:teamcenter:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_7:2.30:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_7:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.30", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_7:2.30:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:solid_edge_harness_design:2020:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:solid_edge_harness_design:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2020", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:captial:2019.1:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:solid_edge_harness_design:2020:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:solid_edge_cam_pro:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_viewpoint:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_vantage:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siguard_dsa:4.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siguard_dsa:4.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siguard_dsa:4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:sentron_powermanager:4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:sentron_powermanager:4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "1.1.3", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:nx:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:opcenter_intelligence:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "3.2", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:mindsphere:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-12-11", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:industrial_edge_management_hub:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-12-13", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:industrial_edge_management:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:captial:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2019.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:tracealertserverplus:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "10.0.12", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.7.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:6bk1602-0aa12-0tp0:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:6bk1602-0aa22-0tp0_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.7.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:6bk1602-0aa22-0tp0:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:6bk1602-0aa32-0tp0_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.7.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:6bk1602-0aa32-0tp0:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:6bk1602-0aa42-0tp0_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.7.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:6bk1602-0aa42-0tp0:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:6bk1602-0aa52-0tp0_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.7.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:6bk1602-0aa52-0tp0:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-45046" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-917" } ] } ] }, "references": { "reference_data": [ { "name": "[oss-security] 20211214 CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST", "tags": [ "Mailing List", "Mitigation", "Third Party Advisory" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "name": "https://logging.apache.org/log4j/2.x/security.html", "refsource": "MISC", "tags": [ "Mitigation", "Release Notes", "Vendor Advisory" ], "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "name": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "refsource": "MISC", "tags": [ "Not Applicable" ], "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html", "refsource": "CONFIRM", "tags": [ "Third Party Advisory" ], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "refsource": "CISCO", "tags": [ "Third Party Advisory" ], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "name": "[oss-security] 20211215 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf", "refsource": "CONFIRM", "tags": [ "Third Party Advisory" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "name": "VU#930724", "refsource": "CERT-VN", "tags": [ "Third Party Advisory", "US Government Resource" ], "url": "https://www.kb.cert.org/vuls/id/930724" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf", "refsource": "CONFIRM", "tags": [ "Third Party Advisory" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "name": "DSA-5022", "refsource": "DEBIAN", "tags": [ "Third Party Advisory" ], "url": "https://www.debian.org/security/2021/dsa-5022" }, { "name": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html", "refsource": "CONFIRM", "tags": [ "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032", "refsource": "CONFIRM", "tags": [ "Third Party Advisory" ], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032" }, { "name": "[oss-security] 20211218 Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack", "refsource": "MLIST", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf", "refsource": "CONFIRM", "tags": [ "Third Party Advisory" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf", "refsource": "CONFIRM", "tags": [ "Third Party Advisory" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "tags": [ "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "N/A", "refsource": "N/A", "tags": [ "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/", "refsource": "MISC", "tags": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/" }, { "name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/", "refsource": "MISC", "tags": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/" }, { "name": "https://security.gentoo.org/glsa/202310-16", "refsource": "MISC", "tags": [], "url": "https://security.gentoo.org/glsa/202310-16" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false }, "baseMetricV3": { "cvssV3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.2, "impactScore": 6.0 } }, "lastModifiedDate": "2023-10-26T07:15Z", "publishedDate": "2021-12-14T19:15Z" } } }
cisco-sa-apache-log4j-qruknebd
Vulnerability from csaf_cisco
Notes
{ "document": { "acknowledgments": [ { "summary": "These vulnerabilities were disclosed by the Apache Software Foundation." } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "notes": [ { "category": "summary", "text": "Critical Vulnerabilities in Apache Log4j Java Logging Library\r\n\r\nOn December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed:\r\n\r\nCVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints\r\n\r\nOn December 14, 2021, the following critical vulnerability, which affects certain Apache Log4j use cases in versions 2.15.0 and earlier, was disclosed:\r\n\r\nCVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack\r\n\r\nOn December 18, 2021, a vulnerability in the Apache Log4j component affecting versions 2.16 and earlier was disclosed:\r\n\r\nCVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation\r\n\r\nOn December 28, 2021, a vulnerability in the Apache Log4j component affecting versions 2.17 and earlier was disclosed:\r\n\r\nCVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration\r\n\r\nFor a description of these vulnerabilities, see the Apache Log4j Security Vulnerabilities [\"https://logging.apache.org/log4j/2.x/security.html\"] page.\r\n\r\nCisco\u0027s Response to These Vulnerabilities\r\n\r\nCisco assessed all products and services for impact from both CVE-2021-44228 and CVE-2021-45046. To help detect exploitation of these vulnerabilities, Cisco has released Snort rules at the following location: Talos Rules 2021-12-21 [\"https://www.snort.org/advisories/talos-rules-2021-12-21\"]\r\n\r\nProduct fixes that are listed in this advisory will address both CVE-2021-44228 and CVE-2021-45046 unless otherwise noted.\r\n\r\nCisco has reviewed CVE-2021-45105 and CVE-2021-44832 and has determined that no Cisco products or cloud offerings are impacted by these vulnerabilities.\r\n\r\nCisco\u0027s standard practice is to update integrated third-party software components to later versions as they become available.\r\n\r\nThis advisory is available at the following link:\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd\"]", "title": "Summary" }, { "category": "general", "text": "Cisco investigated its product line to determine which products may be affected by these vulnerabilities.\r\n\r\nThis advisory only lists Cisco products and services that are known to include the impacted software component and thus may be vulnerable. Products and services that do not contain the impacted software component are not vulnerable and therefore are not listed in this advisory. Any Cisco product or service that is not explicitly listed in the Affected Products section of this advisory is not affected by the vulnerability or vulnerabilities described.\r\n\r\nThe Vulnerable Products [\"#vp\"] section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.", "title": "Affected Products" }, { "category": "general", "text": "Cisco investigated its product line to determine which products may be affected by these vulnerabilities.\r\n\r\nThe following table lists Cisco products that are affected by one or both of the vulnerabilities that are described in this advisory. Customers should refer to the associated Cisco bug(s) for further details.\r\n Product Cisco Bug ID Fixed Release Availability [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"] Collaboration and Social Media Cisco Webex Meetings Server CSCwa47283 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47283\"] CWMS-3.0MR4SP3 patch (21 Dec 2021)\r\nCWMS-4.0MR4SP3 patch (21 Dec 2021)\r\nCWMS-3.0MR4SP2 patch (14 Dec 2021)\r\nCWMS-4.0MR4SP2 patch (14 Dec 2021) Endpoint Clients and Client Software Cisco CX Cloud Agent Software CSCwa47272 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47272\"] 1.12.2 (17 Dec 2021) Network Application, Service, and Acceleration Cisco Call Studio CSCwa54008 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa54008\"] 11.6(2) (23 Dec 2021)\r\n12.0(1) (23 Dec 2021)\r\n12.5(1) (23 Dec 2021)\r\n12.6(1) (23 Dec 2021) Cisco Nexus Insights CSCwa47284 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47284\"] 6.0.2 (17 Dec 2021) Network and Content Security Devices Cisco Firepower Threat Defense (FTD) managed by Firepower Device Manager (FDM) CSCwa46963 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa46963\"] 6.2.3 hotfix (Available)\r\n6.4.0 hotfix (Available)\r\n6.6.5 hotfix (Available)\r\n6.7.0 hotfix (Available)\r\n7.0.1 hotfix (Available)\r\n7.1.0 hotfix (Available) Cisco Identity Services Engine (ISE) CSCwa47133 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47133\"] 2.4 hotfix (15 Dec 2021)\r\n2.6 hotfix (15 Dec 2021)\r\n2.7 hotfix (15 Dec 2021)\r\n3.0 hotfix (15 Dec 2021)\r\n3.1 hotfix (17 Dec 2021) Network Management and Provisioning Cisco Application Policy Infrastructure Controller (APIC) - Network Insights Base App CSCwa47295 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47295\"] 4.2(7r) (Available)\r\n5.2(3g) (Available) Cisco Automated Subsea Tuning CSCwa48806 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa48806\"] 2.1.0.4 (22 Dec 2021) Cisco Business Process Automation CSCwa47269 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47269\"] 3.0.000.115 (patch) (17 Dec 2021)\r\n3.1.000.044 (patch) (17 Dec 2021)\r\n3.2.000.009 (patch) (17 Dec 2021) Cisco CloudCenter Cost Optimizer CSCwa48074 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa48074\"] 5.5.2 (Available) Cisco CloudCenter Suite Admin CSCwa47349 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47349\"] 5.3.1 (Available) Cisco CloudCenter Workload Manager CSCwa47350 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47350\"] 5.5.2 (Available) Cisco CloudCenter CSCwa48832 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa48832\"] 4.10.0.16 (22 Dec 2021) Cisco Common Services Platform Collector (CSPC) CSCwa47271 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47271\"] 2.10.0.1 hotfix (Available)\r\n2.9.1.3 hotfix (Available) Cisco Crosswork Data Gateway CSCwa47257 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47257\"] 2.0.2 patch (21 Dec 2021)\r\n3.0.1 patch (21 Dec 2021) Cisco Crosswork Network Controller CSCwa49936 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa49936\"] 2.0.1 patch (22 Dec 2021)\r\n3.0.1 patch (22 Dec 2021) Cisco Crosswork Optimization Engine CSCwa49939 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa49939\"] 2.0.1 patch (21 Dec 2021)\r\n3.0.1 patch (21 Dec 2021) Cisco Crosswork Platform Infrastructure CSCwa47367 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47367\"] 4.0.1 patch (22 Dec 2021)\r\n4.1.1 patch (22 Dec 2021) Cisco Crosswork Situation Manager CSCwa51878 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa51878\"] 8.0.0.8 patch (21 Dec 2021) Cisco Crosswork Zero Touch Provisioning (ZTP) CSCwa47259 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47259\"] 2.0.1 patch (21 Dec 2021)\r\n3.0.1 patch (21 Dec 2021) Cisco Cyber Vision Sensor Management Extension CSCwa49482 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa49482\"] 4.0.3 (22 Dec 2021) Cisco DNA Spaces Connector CSCwa47320 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47320\"] v2.0.588 (Available)\r\nv2.2.12 (Available) Cisco Data Center Network Manager (DCNM) CSCwa47291 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47291\"] 12.0(2f) (Available)\r\n11.5(3) patch (Available)\r\n11.5(2) patch (Available)\r\n11.5(1) patch (Available)\r\n11.4(1) patch (Available)\r\n11.3(1) patch (Available) Cisco Evolved Programmable Network Manager CSCwa47310 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47310\"] 5.1.3.1 patch (22 Dec 2021)\r\n5.0.2.1 patch (13 Jan 2022)\r\n4.1.1.1 patch (13 Jan 2022) Cisco Intersight Virtual Appliance CSCwa47304 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47304\"] 1.0.9-361 (20 Dec 2021) Cisco Network Services Orchestrator (NSO) CSCwa47342 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47342\"] nso-5.3.5.1 (17 Dec 2021)\r\nnso-5.4.5.2 (17 Dec 2021)\r\nnso-5.5.4.1 (17 Dec 2021)\r\nnso-5.6.3.1 (17 Dec 2021) Cisco Nexus Dashboard, formerly Cisco Application Services Engine CSCwa47299 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47299\"] 2.1.2 (23 Dec 2021) Cisco Prime Service Catalog CSCwa47347 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47347\"] 12.1 patch (20 Dec 2021) Cisco Secure Agile Exchange (SAE) Core Function Pack CSCwa52921 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa52921\"] 2.4.1 (14 Jan 2022) Cisco Smart PHY CSCwa50021 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa50021\"] 3.1.4 patch (Available)\r\n3.2.0 patch (Available)\r\n3.2.1 patch (Available)\r\n21.3 patch (21 Jan 2022) Cisco Virtual Topology System (VTS) CSCwa47334 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47334\"] 2.6.7 (22 Dec 2021) Cisco Virtualized Infrastructure Manager CSCwa49924 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa49924\"] 3.2.x patch (17 Dec 2021)\r\n3.4.4 patch (17 Dec 2021)\r\n3.4.6 patch (17 Dec 2021)\r\n4.2.0 patch (17 Dec 2021)\r\n4.2.1 patch (17 Dec 2021) Cisco WAN Automation Engine (WAE) CSCwa47369 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47369\"] 7.5.0.1 (22 Dec 2021)\r\n7.4.0.1 (28 Jan 2022)\r\n7.3.0.2 (28 Jan 2022) Routing and Switching - Enterprise and Service Provider Cisco DNA Center CSCwa47322 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47322\"] 2.2.2.8 patch (Available)\r\n2.1.2.8 patch (Available)\r\n2.2.3.4 patch (Available) Cisco IOx Fog Director CSCwa47370 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47370\"] 1.14.5 patch (16 Dec 2021)\r\n1.16.4 patch (Available) Cisco Network Assurance Engine CSCwa47285 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47285\"] 6.0.2 (23 Dec 2021) Cisco Network Convergence System 1004 CSCwa52235 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa52235\"] 7.3.2 SMU/GISO (14 Jan 2022)\r\n7.3.1 SMU (21 Jan 2022) Cisco Optical Network Controller CSCwa48793 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa48793\"] 1.1.0 (22 Dec 2021) Cisco SD-WAN vManage CSCwa47745 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47745\"] 20.3.4.1 (Available)\r\n20.6.2.1 (Available)\r\n20.5.1.1 (Available)\r\n20.4.2.1 (Available) Unified Computing Cisco Integrated Management Controller (IMC) Supervisor CSCwa47307 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47307\"] 2.3.2.1 (23 Dec 2021) Cisco UCS Central Software CSCwa47303 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47303\"] 2.0(1p) (22 Dec 2021) Cisco UCS Director CSCwa47288 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47288\"] 6.8.2.0 (23 Dec 2021) Cisco Workload Optimization Manager CSCwa50220 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa50220\"] 3.2.1 patch (Available) Voice and Unified Communications Devices Cisco BroadWorks CSCwa47315 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47315\"] 2021.11_1.162 (13 Dec 2021)\r\nap381882 (15 Dec 2021) Cisco Cloud Connect CSCwa51545 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa51545\"] 12.6(1) (Available) Cisco Contact Center Domain Manager (CCDM) CSCwa47383 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47383\"] 12.5(1) ES6 (Available)\r\n12.6(1) ES3 (Available) Cisco Contact Center Management Portal (CCMP) CSCwa47383 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47383\"] 12.5(1) ES6 (Available)\r\n12.6(1) ES3 (Available) Cisco Emergency Responder CSCwa47391 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47391\"] 11.5(4)SU9 patch (16 Dec 2021)\r\n11.5(4)SU10 patch (16 Dec 2021) Cisco Enterprise Chat and Email CSCwa47392 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47392\"] 12.0(1) patch (Available)\r\n12.5 (1) patch (Available)\r\n12.6(1) patch (Available) Cisco Finesse CSCwa46459 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa46459\"] 12.6(1)ES03 (23 Dec 2021) Cisco Packaged Contact Center Enterprise CSCwa47274 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47274\"] 11.6(2) (Available)\r\n12.0(1) (Available)\r\n12.5(1) (Available)\r\n12.6(1) (Available) Cisco Paging Server CSCwa47395 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47395\"] 14.4.2 (21 Dec 2021) Cisco Unified Communications Manager / Cisco Unified Communications Manager Session Management Edition CSCwa47249 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47249\"] 11.5(1)SU7 patch (16 Dec 2021)\r\n11.5(1)SU8 patch (16 Dec 2021)\r\n11.5(1)SU9 patch (16 Dec 2021)\r\n11.5(1)SU10 patch (16 Dec 2021)\r\n11.5(1.18119-2) through 11.5(1.23162-1) patch (16 Dec 2021) Cisco Unified Communications Manager IM \u0026Presence Service CSCwa47393 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47393\"] 11.5(1)SU7 patch (16 Dec 2021)\r\n11.5(1)SU8 patch (16 Dec 2021)\r\n11.5(1)SU9 patch (16 Dec 2021)\r\n11.5(1)SU10 patch (16 Dec 2021)\r\n11.5(1.18900-16) patch (16 Dec 2021)\r\n11.5(1.18901-3) patch (16 Dec 2021) Cisco Unified Contact Center Enterprise - Live Data server CSCwa46810 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa46810\"] 11.6(1)ES23 (23 Dec 2021)\r\n12.0(1)ES18 (23 Dec 2021)\r\n12.5(1)ES13 (23 Dec 2021)\r\n12.6(1)ES03 (23 Dec 2021) Cisco Unified Contact Center Enterprise CSCwa47273 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47273\"] 11.6(2) (Available)\r\n12.0(1) (Available)\r\n12.5(1) (Available)\r\n12.6(1) (Available) Cisco Unified Contact Center Express CSCwa47388 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47388\"] 12.5(1)SU1 (23 Dec 2021) Cisco Unified Customer Voice Portal CSCwa47275 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47275\"] 11.6(2) (Available)\r\n12.0(1) (Available)\r\n12.5(1) (Available)\r\n12.6(1) (23 Dec 2021) Cisco Unified Intelligence Center CSCwa46525 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa46525\"] 12.6(1) (23 Dec 2021) Cisco Unified SIP Proxy Software CSCwa47265 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47265\"] 10.2.1v2 patch (23 Dec 2021) Cisco Unity Connection CSCwa47387 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47387\"] 11.5(1)SU7 patch (16 Dec 2021)\r\n11.5(1)SU8 patch (16 Dec 2021)\r\n11.5(1)SU9 patch (16 Dec 2021)\r\n11.5(1)SU10 patch (16 Dec 2021)\r\n11.5(1.18119-2) through 11.5(1.23162-1) patch (16 Dec 2021) Cisco Virtualized Voice Browser CSCwa47397 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47397\"] 12.5(1) (Available)\r\n12.6(1) (23 Dec 2021) Cisco Webex Workforce Optimization CSCwa51476 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa51476\"] Product is End of Software Maintenance - No Fixes Planned Video, Streaming, TelePresence, and Transcoding Devices Cisco Video Surveillance Operations Manager CSCwa47360 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47360\"] 7.14.4 patch (Available) Cisco Vision Dynamic Signage Director CSCwa47351 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47351\"] Contact Cisco TAC for a patch\r\n6.4 SP3 (17 Jan 2021) Wireless Cisco Connected Mobile Experiences (CMX) CSCwa47312 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47312\"] 10.6.3-70 patch (Available)\r\n10.6.3-105 patch (Available)\r\n10.6.2-89 patch (Available)\r\n10.4.1 patch (Available)", "title": "Vulnerable Products" }, { "category": "general", "text": "Cisco investigated its product line to determine which products may be affected by these vulnerabilities.\r\n\r\nAny product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable.\r\n\r\nCisco has confirmed that these vulnerabilities do not affect the following Cisco products:\r\n\r\nCable Devices\r\n\r\nCisco GS7000 Nodes\r\nCisco RF Gateway Series\r\nCisco Remote PHY 120\r\n\r\nCollaboration and Social Media\r\n\r\nCisco SocialMiner\r\n\r\nEndpoint Clients and Client Software\r\n\r\nCisco AnyConnect Secure Mobility Client\r\nCisco Jabber Guest\r\nCisco Jabber\r\nCisco Secure Endpoint, formerly Cisco Advanced Malware Protection for Endpoints\r\nCisco Webex App\r\n\r\nMeraki Products\r\n\r\nCisco Meraki Go Series\r\nCisco Meraki MR Series Cloud-Managed Wireless Access Points\r\nCisco Meraki MS Series Switches\r\nCisco Meraki MT Series Sensors\r\nCisco Meraki MV Series Cloud-Managed Smart Cameras\r\nCisco Meraki MX Series Cloud-Managed Security and SD-WAN\r\nCisco Meraki Systems Manager (SM)\r\nCisco Meraki Z-Series Cloud-Managed Teleworker Gateway\r\n\r\nNetwork Application, Service, and Acceleration\r\n\r\nCisco Cloud Services Platform 2100\r\nCisco Cloud Services Platform 5000 Series\r\nCisco Nexus Dashboard Data Broker\r\nCisco Tetration Analytics\r\nCisco Wide Area Application Services (WAAS)\r\nConfD\r\n\r\nNetwork and Content Security Devices\r\n\r\nCisco AMP Virtual Private Cloud Appliance\r\nCisco Adaptive Security Appliance (ASA) Software\r\nCisco Adaptive Security Device Manager\r\nCisco Adaptive Security Virtual Appliance (ASAv)\r\nCisco Advanced Web Security Reporting Application\r\nCisco Email Security Appliance (ESA)\r\nCisco FXOS Firepower Chassis Manager\r\nCisco Firepower Management Center\r\nCisco Firepower Next-Generation Intrusion Prevention System (NGIPS)\r\nCisco Firepower Threat Defense (FTD) managed by Cisco Firepower Management Center\r\nCisco Secure Email Encryption Add-in\r\nCisco Secure Email Encryption Plugin for Outlook\r\nCisco Secure Email Security Plugin for Outlook\r\nCisco Secure Email and Web Manager, formerly Cisco Content Security Management Appliance (SMA)\r\nCisco Secure Network Analytics, formerly Stealthwatch Enterprise, Advanced Host Group Automation (AHGA)\r\nCisco Secure Network Analytics, formerly Stealthwatch Enterprise, Flow Adapter\r\nCisco Secure Network Analytics, formerly Stealthwatch Enterprise, Network Forensics Automation (NFA)\r\nCisco Secure Network Analytics, formerly Stealthwatch Enterprise, Proxy Adapter\r\nCisco Secure Network Analytics, formerly Stealthwatch\r\nCisco Secure Services Proxy (CSSP)\r\nCisco Security Malware Analytics Appliance, formerly Cisco Threat Grid Appliance\r\nCisco Security Manager\r\nCisco Web Security Appliance (WSA)\r\n\r\nNetwork Management and Provisioning\r\n\r\nCisco ACI Multi-Site Orchestrator\r\nCisco CloudCenter Action Orchestrator\r\nCisco Connected Grid Device Manager\r\nCisco Container Platform\r\nCisco Crosswork Change Automation\r\nCisco Crosswork Health Insights\r\nCisco Crosswork Service Health\r\nCisco Elastic Services Controller (ESC)\r\nCisco Intelligent Node (iNode) Manager\r\nCisco Intersight Mobile App\r\nCisco IoT Field Network Director, formerly Cisco Connected Grid Network Management System\r\nCisco Modeling Labs\r\nCisco NCS 2000 Shelf Virtualization Orchestrator\r\nCisco Optical Network Planner\r\nCisco Policy Suite\r\nCisco Prime Access Registrar\r\nCisco Prime Cable Provisioning\r\nCisco Prime Central for Service Providers\r\nCisco Prime Collaboration Assurance\r\nCisco Prime Collaboration Deployment\r\nCisco Prime Collaboration Provisioning\r\nCisco Prime IP Express\r\nCisco Prime Infrastructure\r\nCisco Prime License Manager\r\nCisco Prime Network Registrar\r\nCisco Prime Network\r\nCisco Prime Optical for Service Providers\r\nCisco Prime Performance Manager\r\nCisco Prime Provisioning\r\nCisco Process Orchestrator\r\nCisco Smart Software Manager On-Prem\r\nCisco Telemetry Broker\r\n\r\nRouting and Switching - Enterprise and Service Provider\r\n\r\nCisco ACI Virtual Edge\r\nCisco ASR 5000 Series Routers\r\nCisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM)\r\nCisco Enterprise NFV Infrastructure Software (NFVIS)\r\nCisco GGSN Gateway GPRS Support Node\r\nCisco IOS XR Software\r\nCisco IOS and IOS XE Software\r\nCisco IP Services Gateway (IPSG)\r\nCisco MDS 9000 Series Multilayer Switches\r\nCisco MME Mobility Management Entity\r\nCisco Mobility Unified Reporting and Analytics System\r\nCisco Network Convergence System 2000 Series\r\nCisco Nexus 3000 Series Switches\r\nCisco Nexus 5500 Platform Switches\r\nCisco Nexus 5600 Platform Switches\r\nCisco Nexus 6000 Series Switches\r\nCisco Nexus 7000 Series Switches\r\nCisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode\r\nCisco Nexus 9000 Series Switches in standalone NX-OS mode\r\nCisco ONS 15454 Series Multiservice Provisioning Platforms\r\nCisco PDSN/HA Packet Data Serving Node and Home Agent\r\nCisco PGW Packet Data Network Gateway\r\nCisco SD-WAN vBond Controller Software\r\nCisco SD-WAN vEdge 100 Series Routers\r\nCisco SD-WAN vEdge 1000 Series Routers\r\nCisco SD-WAN vEdge 2000 Series Routers\r\nCisco SD-WAN vEdge 5000 Series Routers\r\nCisco SD-WAN vEdge Cloud Router Platform\r\nCisco SD-WAN vSmart Controller Software\r\nCisco System Architecture Evolution Gateway (SAEGW)\r\nCisco Ultra Cloud Core - Access and Mobility Management Function\r\nCisco Ultra Cloud Core - Policy Control Function\r\nCisco Ultra Cloud Core - Redundancy Configuration Manager\r\nCisco Ultra Cloud Core - Session Management Function\r\nCisco Ultra Cloud Core - Subscriber Microservices Infrastructure\r\nCisco Ultra Packet Core\r\nCisco Ultra Services Platform\r\n\r\nRouting and Switching - Small Business\r\n\r\nCisco 220 Series Smart Plus Switches\r\nCisco 250 Series Smart Switches\r\nCisco 350 Series Managed Switches\r\nCisco 550 Series Stackable Managed Switches\r\nCisco Business 220 Series Smart Switches\r\nCisco Business 250 Series Smart Switches\r\nCisco Business 350 Series Managed Switches\r\nCisco Business Dashboard\r\nCisco RV110W Wireless-N VPN Firewall\r\nCisco RV130 VPN Router\r\nCisco RV130W Wireless-N Multifunction VPN Router\r\nCisco RV132W ADSL2+ Wireless-N VPN Router\r\nCisco RV134W VDSL2 Wireless-AC VPN Router\r\nCisco RV160 VPN Router\r\nCisco RV160W Wireless-AC VPN Router\r\nCisco RV215W Wireless-N VPN Router\r\nCisco RV260 VPN Routers\r\nCisco RV260P VPN Router with PoE\r\nCisco RV260W Wireless-AC VPN Router\r\nCisco RV320 Dual Gigabit WAN VPN Router\r\nCisco RV325 Dual Gigabit WAN VPN Router\r\nCisco RV340 Dual WAN Gigabit VPN Router\r\nCisco RV340W Dual WAN Gigabit Wireless-AC VPN Router\r\nCisco RV345 Dual WAN Gigabit VPN Router\r\nCisco RV345P Dual WAN Gigabit POE VPN Router\r\nCisco Small Business 200 Series Smart Switches\r\nCisco Small Business 300 Series Managed Switches\r\nCisco Small Business 500 Series Stackable Managed Switches\r\nCisco WAP125 Wireless-AC Dual Band Desktop Access Point with PoE\r\nCisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE\r\nCisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE\r\nCisco WAP371 Wireless-AC/N Radio Access Point with Single Point Setup\r\nCisco WAP571 Wireless-AC/N Premium Dual Radio Access Point with PoE\r\nCisco WAP571E Wireless-AC/N Premium Dual Radio Outdoor Access Point\r\nCisco WAP581 Wireless-AC Dual Radio Wave 2 Access Point with 2.5GbE LAN\r\n\r\nUnified Computing\r\n\r\nCisco 5000 Series Enterprise Network Compute System (ENCS)\r\nCisco HyperFlex System\r\nCisco Hyperflex Storage Replication Adapter\r\nCisco UCS C-Series Rack Servers and S-Series Storage Servers - Integrated Management Controller (CIMC)\r\nCisco UCS E-Series Servers\r\nCisco UCS Manager\r\n\r\nVoice and Unified Communications Devices\r\n\r\nCisco Headset 500 and 700 Series\r\nCisco Hosted Collaboration Mediation Fulfillment\r\nCisco IP Phones with Multiplatform Firmware\r\nCisco IP Phones\r\nCisco TelePresence Endpoints\r\nCisco Unified Attendant Console Advanced\r\nCisco Unified Attendant Console Business Edition\r\nCisco Unified Attendant Console Department Edition\r\nCisco Unified Attendant Console Enterprise Edition\r\nCisco Unified Attendant Console Premium Edition\r\nCisco Unified Communications Domain Manager\r\nCisco Unity Express\r\nCisco Webex Devices\r\nCisco Webex Hybrid Data Security Node\r\nCisco Webex Video Mesh\r\n\r\nVideo, Streaming, TelePresence, and Transcoding Devices\r\n\r\nCisco Expressway Series\r\nCisco Meeting Management (CMM)\r\nCisco Meeting Server\r\nCisco TelePresence Management Suite\r\nCisco TelePresence Video Communication Server (VCS)\r\nCisco Video Surveillance Media Server\r\n\r\nWireless\r\n\r\nCisco AireOS Wireless LAN Controllers\r\nCisco Aironet Access Points\r\nCisco Business 100 and 200 Series Access Points\r\nCisco Business Wireless\r\nCisco Catalyst 9100 Series Access Points\r\nCisco Catalyst 9800 Series Wireless Controllers\r\nCisco IOS Access Points\r\nCisco Mobility Services Engine\r\nCisco Ultra-Reliable Wireless Backhaul\r\n Cisco Cloud Offerings\r\nCisco investigated its cloud offerings to determine which products may be affected by these vulnerabilities. The following table lists Cisco cloud offerings that were part of this investigation.\r\n\r\n Product CVE-2021-44228 CVE-2021-45046 AppDynamics Remediated - service-specific details [\"https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability\"] Remediated - service-specific details [\"https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability\"] AppDynamics with Cisco Secure Application Remediated - service-specific details [\"https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability\"] Remediated - service-specific details [\"https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability\"] Cisco Cloud Email Security Not vulnerable Not vulnerable Cisco Cloudlock Remediated Remediated Cisco Cloudlock for Government Remediated Remediated Cisco Cognitive Intelligence Not vulnerable Not vulnerable Cisco Collaboration Experience Service (CES) Not vulnerable Not vulnerable Cisco Collaboration Experience Service Management (CESM) Not vulnerable Not vulnerable Cisco Crosswork Cloud Not vulnerable Not vulnerable Cisco CX Cloud Remediated Remediated Cisco Defense Orchestrator Not vulnerable Not vulnerable Cisco DNA Spaces Remediated Remediated Cisco Intersight Remediated Remediated Cisco IoT Control Center Remediated Remediated Cisco IoT Operations Dashboard Remediated Remediated Cisco Kinetic for Cities Remediated Remediated Cisco Kinetic Gateway Management Module Remediated Remediated Cisco Managed Services Accelerator (MSX) Remediated Remediated Cisco Placetel Not vulnerable Not vulnerable Cisco PX Cloud Remediated Remediated Cisco SD-WAN Cloud Remediated Remediated Cisco SD-WAN vAnalytics Not vulnerable Not vulnerable Cisco Secure Application (integrated with AppDynamics) Not vulnerable [\"https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability\"] Not vulnerable [\"https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability\"] Cisco Secure Cloud Analytics, formerly Cisco Stealthwatch Cloud Not vulnerable Not vulnerable Cisco Secure Cloud Insights Not vulnerable Not vulnerable Cisco Secure Email Cloud Mailbox, formerly Cisco Cloud Mailbox Defense Not vulnerable Not vulnerable Cisco Secure Email Encryption Service, formerly Cisco Registered Envelope Service Not vulnerable Not vulnerable Cisco Secure Endpoint, formerly Cisco Advanced Malware Protection for Endpoints Not vulnerable Not vulnerable Cisco Secure Malware Analytics, formerly Cisco Threat Grid Not vulnerable Not vulnerable Cisco SecureX Not vulnerable Not vulnerable Cisco ServiceGrid Not vulnerable Not vulnerable Cisco Smart Net Total Care Remediated Remediated Cisco Umbrella DNS Remediated Remediated Cisco Umbrella SIG Remediated Remediated Cisco Unified Communications Management Cloud - UC Management Remediated Remediated Cisco Unified Communications Manager Cloud Commercial Remediated Remediated Cisco Unified Communications Manager Cloud for Government Remediated Remediated Cisco Webex Calling Remediated Remediated Cisco Webex Calling Carrier Remediated Remediated Cisco Webex Cloud Registered Endpoints Not vulnerable Not vulnerable Cisco Webex Cloud-Connected UC Remediated Remediated Cisco Webex Contact Center Remediated Remediated Cisco Webex Contact Center Enterprise Remediated Remediated Cisco Webex Control Hub Remediated Remediated Cisco Webex Experience Management Not vulnerable Not vulnerable Cisco Webex FedRAMP Remediated Remediated Cisco Webex for Government FedRAMP Remediated Remediated Cisco Webex Meetings Remediated Remediated Cisco Webex Meetings Slow Channel Remediated Remediated Cisco Webex Messaging Remediated Remediated Cisco Webex Site Admin webpage Remediated Remediated Duo Security Remediated Remediated Duo Security for Government Remediated Remediated eSIM Flex Remediated Remediated IMIassist Not vulnerable Not vulnerable IMIcampaign Not vulnerable Not vulnerable IMIconnect Remediated Remediated IMIengage Not vulnerable Not vulnerable IMImessenger/TextLocal Messenger Not vulnerable Not vulnerable IMImobile - Webex Contact Center Integration Remediated Remediated IMInotify Not vulnerable Not vulnerable IMIsocial Not vulnerable Not vulnerable Kenna.AppSec Remediated Remediated Kenna.VI/VI+ Remediated Remediated Kenna.VM Remediated Remediated Meraki Not vulnerable Not vulnerable Partner Supporting Service(PSS) Remediated Remediated Slido Not vulnerable Not vulnerable Smart Call Home(SCH) Remediated Remediated Socio Not vulnerable Not vulnerable ThousandEyes Remediated Remediated UC-One - UMS Not vulnerable Not vulnerable", "title": "Products Confirmed Not Vulnerable" }, { "category": "general", "text": "Any workarounds are documented in the product-specific Cisco bugs, which are identified in the Vulnerable Products [\"#vp\"] section of this advisory.", "title": "Workarounds" }, { "category": "general", "text": "For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products [\"#vp\"] section of this advisory.\r\n\r\nWhen considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.", "title": "Fixed Software" }, { "category": "general", "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.", "title": "Vulnerability Policy" }, { "category": "general", "text": "The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities described in this advisory.", "title": "Exploitation and Public Announcements" }, { "category": "general", "text": "These vulnerabilities were disclosed by the Apache Software Foundation.", "title": "Source" }, { "category": "legal_disclaimer", "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.", "title": "Legal Disclaimer" } ], "publisher": { "category": "vendor", "contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.", "issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html", "name": "Cisco", "namespace": "https://wwww.cisco.com" }, "references": [ { "category": "self", "summary": "Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "category": "external", "summary": "Cisco Security Vulnerability Policy", "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html" }, { "category": "external", "summary": "Apache Log4j Security Vulnerabilities", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "Talos Rules 2021-12-21", "url": "https://www.snort.org/advisories/talos-rules-2021-12-21" }, { "category": "external", "summary": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd", "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd" }, { "category": "external", "summary": "Fixed Release Availability", "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes" }, { "category": "external", "summary": "CSCwa47283", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47283" }, { "category": "external", "summary": "CSCwa47272", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47272" }, { "category": "external", "summary": "CSCwa54008", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa54008" }, { "category": "external", "summary": "CSCwa47284", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47284" }, { "category": "external", "summary": "CSCwa46963", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa46963" }, { "category": "external", "summary": "CSCwa47133", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47133" }, { "category": "external", "summary": "CSCwa47295", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47295" }, { "category": "external", "summary": "CSCwa48806", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa48806" }, { "category": "external", "summary": "CSCwa47269", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47269" }, { "category": "external", "summary": "CSCwa48074", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa48074" }, { "category": "external", "summary": "CSCwa47349", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47349" }, { "category": "external", "summary": "CSCwa47350", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47350" }, { "category": "external", "summary": "CSCwa48832", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa48832" }, { "category": "external", "summary": "CSCwa47271", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47271" }, { "category": "external", "summary": "CSCwa47257", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47257" }, { "category": "external", "summary": "CSCwa49936", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa49936" }, { "category": "external", "summary": "CSCwa49939", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa49939" }, { "category": "external", "summary": "CSCwa47367", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47367" }, { "category": "external", "summary": "CSCwa51878", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa51878" }, { "category": "external", "summary": "CSCwa47259", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47259" }, { "category": "external", "summary": "CSCwa49482", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa49482" }, { "category": "external", "summary": "CSCwa47320", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47320" }, { "category": "external", "summary": "CSCwa47291", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47291" }, { "category": "external", "summary": "CSCwa47310", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47310" }, { "category": "external", "summary": "CSCwa47304", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47304" }, { "category": "external", "summary": "CSCwa47342", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47342" }, { "category": "external", "summary": "CSCwa47299", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47299" }, { "category": "external", "summary": "CSCwa47347", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47347" }, { "category": "external", "summary": "CSCwa52921", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa52921" }, { "category": "external", "summary": "CSCwa50021", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa50021" }, { "category": "external", "summary": "CSCwa47334", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47334" }, { "category": "external", "summary": "CSCwa49924", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa49924" }, { "category": "external", "summary": "CSCwa47369", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47369" }, { "category": "external", "summary": "CSCwa47322", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47322" }, { "category": "external", "summary": "CSCwa47370", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47370" }, { "category": "external", "summary": "CSCwa47285", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47285" }, { "category": "external", "summary": "CSCwa52235", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa52235" }, { "category": "external", "summary": "CSCwa48793", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa48793" }, { "category": "external", "summary": "CSCwa47745", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47745" }, { "category": "external", "summary": "CSCwa47307", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47307" }, { "category": "external", "summary": "CSCwa47303", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47303" }, { "category": "external", "summary": "CSCwa47288", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47288" }, { "category": "external", "summary": "CSCwa50220", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa50220" }, { "category": "external", "summary": "CSCwa47315", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47315" }, { "category": "external", "summary": "CSCwa51545", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa51545" }, { "category": "external", "summary": "CSCwa47383", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47383" }, { "category": "external", "summary": "CSCwa47383", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47383" }, { "category": "external", "summary": "CSCwa47391", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47391" }, { "category": "external", "summary": "CSCwa47392", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47392" }, { "category": "external", "summary": "CSCwa46459", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa46459" }, { "category": "external", "summary": "CSCwa47274", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47274" }, { "category": "external", "summary": "CSCwa47395", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47395" }, { "category": "external", "summary": "CSCwa47249", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47249" }, { "category": "external", "summary": "CSCwa47393", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47393" }, { "category": "external", "summary": "CSCwa46810", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa46810" }, { "category": "external", "summary": "CSCwa47273", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47273" }, { "category": "external", "summary": "CSCwa47388", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47388" }, { "category": "external", "summary": "CSCwa47275", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47275" }, { "category": "external", "summary": "CSCwa46525", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa46525" }, { "category": "external", "summary": "CSCwa47265", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47265" }, { "category": "external", "summary": "CSCwa47387", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47387" }, { "category": "external", "summary": "CSCwa47397", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47397" }, { "category": "external", "summary": "CSCwa51476", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa51476" }, { "category": "external", "summary": "CSCwa47360", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47360" }, { "category": "external", "summary": "CSCwa47351", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47351" }, { "category": "external", "summary": "CSCwa47312", "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47312" }, { "category": "external", "summary": "Remediated - service-specific details", "url": "https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability" }, { "category": "external", "summary": "Remediated - service-specific details", "url": "https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability" }, { "category": "external", "summary": "Remediated - service-specific details", "url": "https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability" }, { "category": "external", "summary": "Remediated - service-specific details", "url": "https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability" }, { "category": "external", "summary": "Not vulnerable", "url": "https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability" }, { "category": "external", "summary": "Not vulnerable", "url": "https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability" }, { "category": "external", "summary": "Security Vulnerability Policy", "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html" } ], "title": "Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021", "tracking": { "current_release_date": "2022-01-31T21:16:10+00:00", "generator": { "date": "2022-10-22T03:14:00+00:00", "engine": { "name": "TVCE" } }, "id": "cisco-sa-apache-log4j-qRuKNEbd", "initial_release_date": "2021-12-10T18:45:00+00:00", "revision_history": [ { "date": "2021-12-10T18:49:19+00:00", "number": "1.0.0", "summary": "Initial public release." }, { "date": "2021-12-10T20:58:15+00:00", "number": "1.1.0", "summary": "Added Snort rule link." }, { "date": "2021-12-11T00:58:43+00:00", "number": "1.2.0", "summary": "Added Products Under Investigation." }, { "date": "2021-12-11T19:15:38+00:00", "number": "1.3.0", "summary": "Indicated advisory update schedule. Updated the vulnerable products and products confirmed not vulnerable." }, { "date": "2021-12-11T23:12:24+00:00", "number": "1.4.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-12T15:01:39+00:00", "number": "1.5.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-12T18:11:59+00:00", "number": "1.6.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-12T19:02:40+00:00", "number": "1.7.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-12T23:05:52+00:00", "number": "1.8.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-13T15:31:38+00:00", "number": "1.9.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-13T20:34:26+00:00", "number": "1.10.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-13T23:43:56+00:00", "number": "1.11.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-14T15:42:33+00:00", "number": "1.12.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-14T19:36:34+00:00", "number": "1.13.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-14T23:57:07+00:00", "number": "1.14.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-15T15:08:09+00:00", "number": "1.15.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-15T19:27:33+00:00", "number": "1.16.0", "summary": "Updated the summary, products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-15T23:51:35+00:00", "number": "1.17.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-16T15:22:33+00:00", "number": "1.18.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-16T19:07:05+00:00", "number": "1.19.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-16T23:12:10+00:00", "number": "1.20.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-17T19:02:40+00:00", "number": "1.21.0", "summary": "Updated the summary, products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-18T00:07:30+00:00", "number": "1.22.0", "summary": "Updated the products under investigation, vulnerable products, and products confirmed not vulnerable." }, { "date": "2021-12-19T16:29:55+00:00", "number": "1.23.0", "summary": "Updated summary and products under investigation." }, { "date": "2021-12-20T20:29:03+00:00", "number": "1.24.0", "summary": "Updated vulnerable products and products confirmed not vulnerable." }, { "date": "2021-12-21T20:55:00+00:00", "number": "1.25.0", "summary": "Updated vulnerable products and products confirmed not vulnerable." }, { "date": "2021-12-22T20:47:44+00:00", "number": "1.26.0", "summary": "Updated vulnerable products and products confirmed not vulnerable. Updated the summary to indicate that no Cisco products are affected by CVE-2021-45105." }, { "date": "2021-12-22T22:58:15+00:00", "number": "1.27.0", "summary": "Updated vulnerable products." }, { "date": "2022-01-06T23:16:04+00:00", "number": "1.28.0", "summary": "Updated summary and vulnerable products." }, { "date": "2022-01-07T18:00:53+00:00", "number": "1.29.0", "summary": "Updated vulnerable products." }, { "date": "2022-01-10T18:01:02+00:00", "number": "1.30.0", "summary": "Updated vulnerable products." }, { "date": "2022-01-11T20:28:32+00:00", "number": "1.31.0", "summary": "Updated products confirmed not vulnerable." }, { "date": "2022-01-31T21:16:10+00:00", "number": "1.32.0", "summary": "Updated vulnerable products." } ], "status": "final", "version": "1.32.0" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_family", "name": "Cisco Unified Communications Manager IM and Presence Service", "product": { "name": "Cisco Unified Communications Manager IM and Presence Service ", "product_id": "CSAFPID-189784" } }, { "category": "product_family", "name": "Cisco Evolved Programmable Network Manager (EPNM)", "product": { "name": "Cisco Evolved Programmable Network Manager (EPNM) ", "product_id": "CSAFPID-213688" } }, { "category": "product_family", "name": "Cisco Network Services Orchestrator", "product": { "name": "Cisco Network Services Orchestrator ", "product_id": "CSAFPID-227765" } }, { "category": "product_family", "name": "Cisco Unified Communications Manager / Cisco Unity Connection", "product": { "name": "Cisco Unified Communications Manager / Cisco Unity Connection ", "product_id": "CSAFPID-277610" } } ], "category": "vendor", "name": "Cisco" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-44832", "notes": [ { "category": "other", "text": "Complete.", "title": "Affected Product Comprehensiveness" } ], "product_status": { "known_affected": [ "CSAFPID-213688", "CSAFPID-227765", "CSAFPID-277610", "CSAFPID-189784" ] }, "remediations": [ { "category": "vendor_fix", "details": "Cisco has released software updates that address this vulnerability.", "product_ids": [ "CSAFPID-277610", "CSAFPID-213688", "CSAFPID-227765", "CSAFPID-189784" ], "url": "https://software.cisco.com" } ], "scores": [ { "cvss_v3": { "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-213688", "CSAFPID-227765", "CSAFPID-277610", "CSAFPID-189784" ] } ], "title": "vuln-CVE-2021-44832" }, { "cve": "CVE-2021-45046", "ids": [ { "system_name": "Cisco Bug ID", "text": "CSCwa47310" }, { "system_name": "Cisco Bug ID", "text": "CSCwa56230" } ], "notes": [ { "category": "other", "text": "Complete.", "title": "Affected Product Comprehensiveness" } ], "product_status": { "known_affected": [ "CSAFPID-227765", "CSAFPID-277610", "CSAFPID-213688", "CSAFPID-189784" ] }, "remediations": [ { "category": "vendor_fix", "details": "Cisco has released software updates that address this vulnerability.", "product_ids": [ "CSAFPID-277610", "CSAFPID-213688", "CSAFPID-227765", "CSAFPID-189784" ], "url": "https://software.cisco.com" } ], "scores": [ { "cvss_v3": { "baseScore": 9.0, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-227765", "CSAFPID-277610", "CSAFPID-213688", "CSAFPID-189784" ] } ], "title": "vuln-CVE-2021-45046" }, { "cve": "CVE-2021-44228", "ids": [ { "system_name": "Cisco Bug ID", "text": "CSCwa56230" } ], "notes": [ { "category": "other", "text": "Complete.", "title": "Affected Product Comprehensiveness" } ], "product_status": { "known_affected": [ "CSAFPID-277610", "CSAFPID-189784" ] }, "remediations": [ { "category": "vendor_fix", "details": "Cisco has released software updates that address this vulnerability.", "product_ids": [ "CSAFPID-277610", "CSAFPID-189784" ], "url": "https://software.cisco.com" } ], "scores": [ { "cvss_v3": { "baseScore": 10.0, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-277610", "CSAFPID-189784" ] } ], "title": "Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021" }, { "cve": "CVE-2021-45105", "ids": [ { "system_name": "Cisco Bug ID", "text": "CSCwa56230" }, { "system_name": "Cisco Bug ID", "text": "CSCwa54650" }, { "system_name": "Cisco Bug ID", "text": "CSCwa47310" } ], "notes": [ { "category": "other", "text": "Complete.", "title": "Affected Product Comprehensiveness" } ], "product_status": { "known_affected": [ "CSAFPID-189784", "CSAFPID-213688" ] }, "remediations": [ { "category": "vendor_fix", "details": "Cisco has released software updates that address this vulnerability.", "product_ids": [ "CSAFPID-213688", "CSAFPID-189784" ], "url": "https://software.cisco.com" } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CSAFPID-189784", "CSAFPID-213688" ] } ], "title": "Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021 (CVE-2021-45105)" } ] }
var-202112-0562
Vulnerability from variot
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default. Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j.CVE-2021-4104 Affected CVE-2021-44228 Affected CVE-2021-45046 AffectedCVE-2021-4104 Affected CVE-2021-44228 Affected CVE-2021-45046 Affected. Solution:
For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html
Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html
The References section of this erratum contains a download link (you must log in to download the update). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Low: Red Hat JBoss Enterprise Application Platform 7.4.4 security update Advisory ID: RHSA-2022:1297-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:1297 Issue date: 2022-04-11 CVE Names: CVE-2021-4104 CVE-2021-44832 CVE-2021-45046 CVE-2021-45105 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 =====================================================================
- Summary:
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss EAP 7.4 for RHEL 8 - noarch, x86_64
- Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.
- Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-22105 - (7.4.z) Upgrade from com.io7m.xom:xom 1.2.10 to xom:xom 1.3.7 JBEAP-22385 - (7.4.z) Upgrade ASM from 7.1 to 9.1 JBEAP-22731 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00032 to 2.16.0.redhat-00034 JBEAP-22738 - (7.4.z) Upgrade jbossws-cxf from 5.4.2.Final to 5.4.4.Final(Fix UsernameTokenElytronTestCase on SE 17) JBEAP-22819 - [GSS] (7.4.z) HAL-1762 - Aliases are removed from the credential store when passwords are updated from the admin console JBEAP-22839 - GSS Upgrade yasson from 1.0.9.redhat-00001 to 1.0.10.redhat-00001 JBEAP-22864 - (7.4.z) Upgrade HAL from 3.3.8.Final-redhat-00001 to 3.3.9.Final-redhat-00001 JBEAP-22900 - Tracker bug for the EAP 7.4.4 release for RHEL-8 JBEAP-22904 - (7.4.z) Upgrade Hibernate ORM from 5.3.24.Final-redhat-00001 to 5.3.25.Final-redhat-00002 JBEAP-22911 - (7.4.z) Upgrade OpenSSL from 2.1.3.Final-redhat-00001 to 2.2.0.Final-redhat-00001 JBEAP-22912 - (7.4.z) Upgrade OpenSSL Natives from 2.1.0.SP01-redhat-00001 to 2.2.0.Final-redhat-00001 JBEAP-22913 - (7.4.z) Upgrade WildFly Core from 15.0.6.Final-redhat-00003 to 15.0.7.Final-redhat-00001 JBEAP-22935 - (7.4.z) Upgrade jboss-vfs from 3.2.15.Final-redhat-00001 to 3.2.16.Final-redhat-00001 JBEAP-22945 - (7.4.z) Upgrade org.apache.logging.log4j from 2.14.0.redhat-00002 to 2.17.1.redhat-00001 JBEAP-22973 - (7.4.z) Upgrade Elytron from 1.15.9.Final-redhat-00001 to 1.15.11.Final-redhat-00002 JBEAP-23038 - (7.4.z) Upgrade galleon-plugins from 5.1.4.Final to 5.2.6.Final JBEAP-23040 - (7.4.z) Upgrade galleon-plugins in wildfly-core-eap from 5.1.4.Final to 5.2.6.Final JBEAP-23045 - (7.4.z) Upgrade Undertow from 2.2.13.SP2-redhat-00001 to 2.2.16.Final-redhat-0001 JBEAP-23101 - (7.4.z) Upgrade Infinispan from 11.0.12.Final to 11.0.15.Final JBEAP-23105 - (7.4.z) Upgrade Narayana from 5.11.3.Final-redhat-00001 to 5.11.4.Final-redhat-00001 JBEAP-23143 - (7.4.z) Upgrade from org.eclipse.jdt.core.compiler:ecj:4.6.1 to org.eclipse.jdt:ecj:3.26 JBEAP-23177 - (7.4.z) Upgrade XNIO from 3.8.5.SP1-redhat-00001 to 3.8.6.Final-redhat-00001 JBEAP-23323 - GSS WFLY-16112 - Batch JobOperatorService should look for only active job names to stop during suspend JBEAP-23373 - (7.4.z) Upgrade OpenSSL from 2.2.0.Final-redhat-00001 to 2.2.0.Final-redhat-00002 JBEAP-23374 - (7.4.z) Upgrade WildFly Core from 15.0.7.Final-redhat-00001 to 15.0.8.Final-redhat-00001 JBEAP-23375 - (7.4.z) Upgrade OpenSSL Natives from 2.2.0.Final-redhat-00001 to 2.2.0.Final-redhat-00002
- Package List:
Red Hat JBoss EAP 7.4 for RHEL 8:
Source: eap7-activemq-artemis-2.16.0-7.redhat_00034.1.el8eap.src.rpm eap7-ecj-3.26.0-1.redhat_00002.1.el8eap.src.rpm eap7-hal-console-3.3.9-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-5.3.25-1.Final_redhat_00002.1.el8eap.src.rpm eap7-infinispan-11.0.15-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.10.0-15.Final_redhat_00014.1.el8eap.src.rpm eap7-jboss-vfs-3.2.16-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-xnio-base-3.8.6-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jbossws-cxf-5.4.4-1.Final_redhat_00001.1.el8eap.src.rpm eap7-log4j-2.17.1-1.redhat_00001.1.el8eap.src.rpm eap7-narayana-5.11.4-1.Final_redhat_00001.1.el8eap.src.rpm eap7-objectweb-asm-9.1.0-1.redhat_00002.1.el8eap.src.rpm eap7-undertow-2.2.16-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-7.4.4-3.GA_redhat_00011.1.el8eap.src.rpm eap7-wildfly-elytron-1.15.11-1.Final_redhat_00002.1.el8eap.src.rpm eap7-wildfly-openssl-2.2.0-3.Final_redhat_00002.1.el8eap.src.rpm eap7-wildfly-openssl-el8-x86_64-2.2.0-2.Final_redhat_00002.1.el8eap.src.rpm eap7-xom-1.3.7-1.redhat_00001.1.el8eap.src.rpm eap7-yasson-1.0.10-1.redhat_00001.1.el8eap.src.rpm
noarch: eap7-activemq-artemis-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-cli-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-commons-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-core-client-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-dto-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-client-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-server-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-journal-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-ra-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-selector-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-server-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-activemq-artemis-tools-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm eap7-ecj-3.26.0-1.redhat_00002.1.el8eap.noarch.rpm eap7-hal-console-3.3.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-hibernate-core-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-hibernate-entitymanager-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-hibernate-envers-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-hibernate-java8-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-infinispan-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-jdbc-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-remote-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-client-hotrod-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-commons-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-component-annotations-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-core-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-server-migration-1.10.0-15.Final_redhat_00014.1.el8eap.noarch.rpm eap7-jboss-server-migration-cli-1.10.0-15.Final_redhat_00014.1.el8eap.noarch.rpm eap7-jboss-server-migration-core-1.10.0-15.Final_redhat_00014.1.el8eap.noarch.rpm eap7-jboss-vfs-3.2.16-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-xnio-base-3.8.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jbossws-cxf-5.4.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-log4j-2.17.1-1.redhat_00001.1.el8eap.noarch.rpm eap7-narayana-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-compensations-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jbosstxbridge-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jbossxts-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jts-idlj-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jts-integration-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-api-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-bridge-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-integration-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-util-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-txframework-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-objectweb-asm-9.1.0-1.redhat_00002.1.el8eap.noarch.rpm eap7-undertow-2.2.16-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-7.4.4-3.GA_redhat_00011.1.el8eap.noarch.rpm eap7-wildfly-elytron-1.15.11-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-elytron-tool-1.15.11-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-javadocs-7.4.4-3.GA_redhat_00011.1.el8eap.noarch.rpm eap7-wildfly-modules-7.4.4-3.GA_redhat_00011.1.el8eap.noarch.rpm eap7-wildfly-openssl-2.2.0-3.Final_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-openssl-java-2.2.0-3.Final_redhat_00002.1.el8eap.noarch.rpm eap7-xom-1.3.7-1.redhat_00001.1.el8eap.noarch.rpm eap7-yasson-1.0.10-1.redhat_00001.1.el8eap.noarch.rpm
x86_64: eap7-wildfly-openssl-el8-x86_64-2.2.0-2.Final_redhat_00002.1.el8eap.x86_64.rpm eap7-wildfly-openssl-el8-x86_64-debuginfo-2.2.0-2.Final_redhat_00002.1.el8eap.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2021-44832 https://access.redhat.com/security/cve/CVE-2021-45046 https://access.redhat.com/security/cve/CVE-2021-45105 https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYlRUqtzjgjWX9erEAQhXfxAApQ6HkBUo8Tg+GWEosSpAx0AEsVPMojWK HU3uJRF8jp0KXqchc+KVlalBJAWHPBUDr4xBpsISqwr7T/9iYonKlo4ijA/68b2K khbFyt6o6i2dXrYygT5fcMtukSjN2T/hfCc2ZE2yiHTO3Ou4AALyZ2xCyYtfSpuZ rZLVvgCWrnak2msgkoNl0/sZxnjw6b+ZJczKkq3QqPVWOYlV/Qdl5NGy16i0rbEo P1rWXJrOUlEBctJEs756cqeIJesYKHZqqPx/kHaNyzdxDh99hKGZx7oturscAN6e sPfSSdyd5jsOcWD7UlHV9ukoPQxf1ouVBa0qkpL0wCoR3GFF6Pls1bMEFzUoz3/R IwagVxsr38duK3isv34l6IQ+RP0oSWN0rgPUu69tAlEV+YwLgA5JUOpz1i7FTmXt l3i5+wMlo9Xc/Hy+j7unW8Do7s/i0YuFVTuM6H9KEITuFjgFA2tB9CpzoAFzWLk0 U8zCL80Rwy1wiMydSrLjtg3YUPB6ibh2NJ02O7R+bNhJ8bN4yuDuWkDqy4VdPXGp zhed3dZmYAXD9/x+mnfghcbJZwigzGT9Qv78zYafB3f8K7cEVEDJK3aZMOkkh9ca dcaLs5WRv8ZTytFPv+KGKRJ/cc/UHAvh8zumMZdVMp1oty/k/OYWhgaEJMWGQDCe UnHI/WwB37w= =eCh2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . The purpose of this text-only errata is to inform you about the security issues fixed in this release. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For the oldstable distribution (buster), this problem has been fixed in version 2.16.0-1~deb10u1.
For the stable distribution (bullseye), this problem has been fixed in version 2.16.0-1~deb11u1.
We recommend that you upgrade your apache-log4j2 packages.
For the detailed security status of apache-log4j2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache-log4j2
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG7FI5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSqOg//XOye7T/8PKOrrUtHFhH+w2dOC0GujwcIS2mhofVuZQTPYvM5uTZxDTuz rQN+T505t9QaP3sF05gXK6VI675HhgmF3d+vDEnhp8QpZX5HeJrmmX44FewZQAqP yMysAuwG1RJ0Qgs7NmppU/XJBnmhJLsqsW99kcDnNXS67D23e1nUqAEDME5baSoF VPc50Up/yh4DE28Jcs8Mh2cM8UqmeLEQJ8XC3IojQLhmOF1UBJuL4K0sEUqWtJeN TytHya2XdfIIZcRolHe6AUeiLP5JpitbqkVP+hEeruAvk8nTGsLi0HMbWxA9LLcB bB9KKJjf6xndRa/t/IXGMzwr883t5/YLdxbCFcGj9M4Bfj7SAhGdgnJHZaRt1quX Vcqnu1pDHpdFuRX4t6oqF9R0uiBGeupZmGdb1y7os+FU2EbTRYU0rlnhfOsou0ex Vh5sFKFDhgWUQoyuVUMh6eOZ7p92GTzbw5kPkvboa7Xdrs02m7ChLlh8f5ajRFrK WbAcwsBj6RK4dmtdvfO2sVEuRTpFQ3qtecwZUR0pqUIjJ+rfurSGmpPr3iOrBu2s ROol/vLfW5uZd6RxSNbt3twPcwBaZagFQCcDY27Yz0sH6DlQUmWed1KJjbRaZ7fn cqjFisSZxu8d5VoAtjMSP8l95FoAm53r9Q1HCZvXqRhBjFNoYqE= =TNnt -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202310-16
https://security.gentoo.org/
Severity: High Title: Ubiquiti UniFi: remote code execution via bundled log4j Date: October 26, 2023 Bugs: #828853 ID: 202310-16
Synopsis
A vulnerability has been discovered in unifi where bundled log4j can facilitate a remote code execution
Background
Ubiquiti UniFi is a Management Controller for Ubiquiti Networks UniFi APs. Please review the CVE identifier referenced below for details.
Impact
An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
Workaround
There is no known workaround at this time.
Resolution
All Ubiquity UniFi users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-wireless/unifi-6.5.55"
References
[ 1 ] CVE-2021-4104 https://nvd.nist.gov/vuln/detail/CVE-2021-4104 [ 2 ] CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202310-16
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202112-0562", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "10.0" }, { "model": "log4j", "scope": "gte", "trust": 1.0, "vendor": "apache", "version": "2.13.0" }, { "model": "navigator", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2021-12-13" }, { "model": "genomics kernel library", "scope": "eq", "trust": 1.0, "vendor": "intel", "version": null }, { "model": "industrial edge management hub", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2021-12-13" }, { "model": "log4j", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "2.0" }, { "model": "desigo cc advanced reports", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "5.1" }, { "model": "solid edge harness design", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "2020" }, { "model": "desigo cc advanced reports", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "5.0" }, { "model": "captial", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "2019.1" }, { "model": "operation scheduler", "scope": "lte", "trust": 1.0, "vendor": "siemens", "version": "1.1.3" }, { "model": "solid edge cam pro", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "spectrum power 4", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "4.70" }, { "model": "logo\\! soft comfort", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "xpedition package integrator", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": null }, { "model": "sensor solution development kit", "scope": "eq", "trust": 1.0, "vendor": "intel", "version": null }, { "model": "mindsphere", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2021-12-11" }, { "model": "system studio", "scope": "eq", "trust": 1.0, "vendor": "intel", "version": null }, { "model": "e-car operation center", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2021-12-13" }, { "model": "sipass integrated", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "2.85" }, { "model": "energyip prepay", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "3.8" }, { "model": "system debugger", "scope": "eq", "trust": 1.0, "vendor": "intel", "version": null }, { "model": "audio development kit", "scope": "eq", "trust": 1.0, "vendor": "intel", "version": null }, { "model": "fedora", "scope": "eq", "trust": 1.0, "vendor": "fedoraproject", "version": "35" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "11.0" }, { "model": "computer vision annotation tool", "scope": "eq", "trust": 1.0, "vendor": "intel", "version": null }, { "model": "log4j", "scope": "lt", "trust": 1.0, "vendor": "apache", "version": "2.16.0" }, { "model": "siveillance vantage", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "siveillance identity", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "1.5" }, { "model": "6bk1602-0aa12-0tp0", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2.7.0" }, { "model": "6bk1602-0aa22-0tp0", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2.7.0" }, { "model": "6bk1602-0aa52-0tp0", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2.7.0" }, { "model": "6bk1602-0aa32-0tp0", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2.7.0" }, { "model": "industrial edge management", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "energyip", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "8.5" }, { "model": "energy engage", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "3.1" }, { "model": "siveillance viewpoint", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "energyip", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "8.7" }, { "model": "opcenter intelligence", "scope": "lte", "trust": 1.0, "vendor": "siemens", "version": "3.2" }, { "model": "spectrum power 7", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2.30" }, { "model": "solid edge harness design", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2020" }, { "model": "siveillance control pro", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "captial", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2019.1" }, { "model": "spectrum power 4", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "4.70" }, { "model": "teamcenter", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "sipass integrated", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "2.80" }, { "model": "log4j", "scope": "lt", "trust": 1.0, "vendor": "apache", "version": "2.12.2" }, { "model": "nx", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "sppa-t3000 ses3000", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "gma-manager", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "8.6.2j-398" }, { "model": "siveillance command", "scope": "lte", "trust": 1.0, "vendor": "siemens", "version": "4.16.2.1" }, { "model": "vesys", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2019.1" }, { "model": "log4j", "scope": "gte", "trust": 1.0, "vendor": "apache", "version": "2.0.1" }, { "model": "sentron powermanager", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "4.2" }, { "model": "spectrum power 7", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "2.30" }, { "model": "fedora", "scope": "eq", "trust": 1.0, "vendor": "fedoraproject", "version": "34" }, { "model": "desigo cc advanced reports", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "4.2" }, { "model": "energyip", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "8.6" }, { "model": "vesys", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "2019.1" }, { "model": "mendix", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "datacenter manager", "scope": "eq", "trust": 1.0, "vendor": "intel", "version": null }, { "model": "desigo cc info center", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "5.1" }, { "model": "6bk1602-0aa42-0tp0", "scope": "lt", "trust": 1.0, "vendor": "siemens", "version": "2.7.0" }, { "model": "desigo cc info center", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "5.0" }, { "model": "desigo cc advanced reports", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "4.0" }, { "model": "energyip", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "9.0" }, { "model": "email security", "scope": "lt", "trust": 1.0, "vendor": "sonicwall", "version": "10.0.12" }, { "model": "sentron powermanager", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "4.1" }, { "model": "tracealertserverplus", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "xpedition enterprise", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": null }, { "model": "desigo cc advanced reports", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "4.1" }, { "model": "oneapi", "scope": "eq", "trust": 1.0, "vendor": "intel", "version": null }, { "model": "comos", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "head-end system universal device integration system", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "*" }, { "model": "siguard dsa", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "4.3" }, { "model": "siveillance identity", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "1.6" }, { "model": "siguard dsa", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "4.2" }, { "model": "energyip prepay", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "3.7" }, { "model": "secure device onboard", "scope": "eq", "trust": 1.0, "vendor": "intel", "version": null }, { "model": "siguard dsa", "scope": "eq", "trust": 1.0, "vendor": "siemens", "version": "4.4" } ], "sources": [ { "db": "NVD", "id": "CVE-2021-45046" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.12.2", "versionStartIncluding": "2.0.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.16.0", "versionStartIncluding": "2.13.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:intel:oneapi:-:*:*:*:*:eclipse:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:datacenter_manager:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:system_debugger:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:intel:system_studio:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:sppa-t3000_ses3000:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:siemens:logo\\!_soft_comfort:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_4:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "4.70", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip_prepay:3.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip_prepay:3.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_command:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "4.16.2.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:head-end_system_universal_device_integration_system:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:gma-manager:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "8.6.2j-398", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip:8.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip:8.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip:8.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energyip:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:energy_engage:3.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:e-car_operation_center:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-12-13", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_info_center:5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_info_center:5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:captial:2019.1:sp1912:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:navigator:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-12-13", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:xpedition_package_integrator:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:xpedition_enterprise:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:vesys:2019.1:sp1912:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:vesys:2019.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:vesys:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2019.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:vesys:2019.1:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:teamcenter:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_7:2.30:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_7:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.30", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:spectrum_power_7:2.30:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:solid_edge_harness_design:2020:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:solid_edge_harness_design:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2020", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:captial:2019.1:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:solid_edge_harness_design:2020:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:solid_edge_cam_pro:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_viewpoint:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siveillance_vantage:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siguard_dsa:4.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siguard_dsa:4.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:siguard_dsa:4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:sentron_powermanager:4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:sentron_powermanager:4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "1.1.3", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:nx:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:opcenter_intelligence:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "3.2", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:mindsphere:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-12-11", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:industrial_edge_management_hub:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-12-13", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:industrial_edge_management:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:captial:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2019.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:siemens:tracealertserverplus:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "10.0.12", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.7.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:6bk1602-0aa12-0tp0:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:6bk1602-0aa22-0tp0_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.7.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:6bk1602-0aa22-0tp0:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:6bk1602-0aa32-0tp0_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.7.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:6bk1602-0aa32-0tp0:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:6bk1602-0aa42-0tp0_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.7.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:6bk1602-0aa42-0tp0:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:siemens:6bk1602-0aa52-0tp0_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.7.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:h:siemens:6bk1602-0aa52-0tp0:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2021-45046" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Much of the content of this vulnerability note is derived from Apache Log4j Security Vulnerabilities and http://slf4j.org/log4shell.html.This document was written by Art Manion.", "sources": [ { "db": "CERT/CC", "id": "VU#930724" } ], "trust": 0.8 }, "cve": "CVE-2021-45046", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 4.9, "impactScore": 6.4, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "HIGH", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.2, "impactScore": 6.0, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" } ], "severity": [ { "author": "NVD", "id": "CVE-2021-45046", "trust": 1.0, "value": "CRITICAL" }, { "author": "CNNVD", "id": "CNNVD-202112-1065", "trust": 0.6, "value": "CRITICAL" } ] } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202112-1065" }, { "db": "NVD", "id": "CVE-2021-45046" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default. Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j.CVE-2021-4104 Affected\nCVE-2021-44228 Affected\nCVE-2021-45046 AffectedCVE-2021-4104 Affected\nCVE-2021-44228 Affected\nCVE-2021-45046 Affected. Solution:\n\nFor OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html\n\n4. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Low: Red Hat JBoss Enterprise Application Platform 7.4.4 security update\nAdvisory ID: RHSA-2022:1297-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:1297\nIssue date: 2022-04-11\nCVE Names: CVE-2021-4104 CVE-2021-44832 CVE-2021-45046 \n CVE-2021-45105 CVE-2022-23302 CVE-2022-23305 \n CVE-2022-23307 \n=====================================================================\n\n1. Summary:\n\nA security update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.4 for Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Low. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat JBoss EAP 7.4 for RHEL 8 - noarch, x86_64\n\n3. Description:\n\nRed Hat JBoss Enterprise Application Platform 7 is a platform for Java\napplications based on the WildFly application runtime. \n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves\nas a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3\nand includes bug fixes and enhancements. See the Red Hat JBoss Enterprise\nApplication Platform 7.4.4 Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release. \n\n4. Solution:\n\nBefore applying this update, back up your existing Red Hat JBoss Enterprise\nApplication Platform installation and deployed applications. \n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-22105 - (7.4.z) Upgrade from com.io7m.xom:xom 1.2.10 to xom:xom 1.3.7\nJBEAP-22385 - (7.4.z) Upgrade ASM from 7.1 to 9.1\nJBEAP-22731 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00032 to 2.16.0.redhat-00034\nJBEAP-22738 - (7.4.z) Upgrade jbossws-cxf from 5.4.2.Final to 5.4.4.Final(Fix UsernameTokenElytronTestCase on SE 17)\nJBEAP-22819 - [GSS] (7.4.z) HAL-1762 - Aliases are removed from the credential store when passwords are updated from the admin console\nJBEAP-22839 - [GSS](7.4.z) Upgrade yasson from 1.0.9.redhat-00001 to 1.0.10.redhat-00001\nJBEAP-22864 - (7.4.z) Upgrade HAL from 3.3.8.Final-redhat-00001 to 3.3.9.Final-redhat-00001\nJBEAP-22900 - Tracker bug for the EAP 7.4.4 release for RHEL-8\nJBEAP-22904 - (7.4.z) Upgrade Hibernate ORM from 5.3.24.Final-redhat-00001 to 5.3.25.Final-redhat-00002\nJBEAP-22911 - (7.4.z) Upgrade OpenSSL from 2.1.3.Final-redhat-00001 to 2.2.0.Final-redhat-00001\nJBEAP-22912 - (7.4.z) Upgrade OpenSSL Natives from 2.1.0.SP01-redhat-00001 to 2.2.0.Final-redhat-00001\nJBEAP-22913 - (7.4.z) Upgrade WildFly Core from 15.0.6.Final-redhat-00003 to 15.0.7.Final-redhat-00001\nJBEAP-22935 - (7.4.z) Upgrade jboss-vfs from 3.2.15.Final-redhat-00001 to 3.2.16.Final-redhat-00001\nJBEAP-22945 - (7.4.z) Upgrade org.apache.logging.log4j from 2.14.0.redhat-00002 to 2.17.1.redhat-00001\nJBEAP-22973 - (7.4.z) Upgrade Elytron from 1.15.9.Final-redhat-00001 to 1.15.11.Final-redhat-00002\nJBEAP-23038 - (7.4.z) Upgrade galleon-plugins from 5.1.4.Final to 5.2.6.Final\nJBEAP-23040 - (7.4.z) Upgrade galleon-plugins in wildfly-core-eap from 5.1.4.Final to 5.2.6.Final\nJBEAP-23045 - (7.4.z) Upgrade Undertow from 2.2.13.SP2-redhat-00001 to 2.2.16.Final-redhat-0001\nJBEAP-23101 - (7.4.z) Upgrade Infinispan from 11.0.12.Final to 11.0.15.Final\nJBEAP-23105 - (7.4.z) Upgrade Narayana from 5.11.3.Final-redhat-00001 to 5.11.4.Final-redhat-00001\nJBEAP-23143 - (7.4.z) Upgrade from org.eclipse.jdt.core.compiler:ecj:4.6.1 to org.eclipse.jdt:ecj:3.26\nJBEAP-23177 - (7.4.z) Upgrade XNIO from 3.8.5.SP1-redhat-00001 to 3.8.6.Final-redhat-00001\nJBEAP-23323 - [GSS](7.4.z) WFLY-16112 - Batch JobOperatorService should look for only active job names to stop during suspend\nJBEAP-23373 - (7.4.z) Upgrade OpenSSL from 2.2.0.Final-redhat-00001 to 2.2.0.Final-redhat-00002\nJBEAP-23374 - (7.4.z) Upgrade WildFly Core from 15.0.7.Final-redhat-00001 to 15.0.8.Final-redhat-00001\nJBEAP-23375 - (7.4.z) Upgrade OpenSSL Natives from 2.2.0.Final-redhat-00001 to 2.2.0.Final-redhat-00002\n\n7. Package List:\n\nRed Hat JBoss EAP 7.4 for RHEL 8:\n\nSource:\neap7-activemq-artemis-2.16.0-7.redhat_00034.1.el8eap.src.rpm\neap7-ecj-3.26.0-1.redhat_00002.1.el8eap.src.rpm\neap7-hal-console-3.3.9-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-hibernate-5.3.25-1.Final_redhat_00002.1.el8eap.src.rpm\neap7-infinispan-11.0.15-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-jboss-server-migration-1.10.0-15.Final_redhat_00014.1.el8eap.src.rpm\neap7-jboss-vfs-3.2.16-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-jboss-xnio-base-3.8.6-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-jbossws-cxf-5.4.4-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-log4j-2.17.1-1.redhat_00001.1.el8eap.src.rpm\neap7-narayana-5.11.4-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-objectweb-asm-9.1.0-1.redhat_00002.1.el8eap.src.rpm\neap7-undertow-2.2.16-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-wildfly-7.4.4-3.GA_redhat_00011.1.el8eap.src.rpm\neap7-wildfly-elytron-1.15.11-1.Final_redhat_00002.1.el8eap.src.rpm\neap7-wildfly-openssl-2.2.0-3.Final_redhat_00002.1.el8eap.src.rpm\neap7-wildfly-openssl-el8-x86_64-2.2.0-2.Final_redhat_00002.1.el8eap.src.rpm\neap7-xom-1.3.7-1.redhat_00001.1.el8eap.src.rpm\neap7-yasson-1.0.10-1.redhat_00001.1.el8eap.src.rpm\n\nnoarch:\neap7-activemq-artemis-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-cli-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-commons-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-core-client-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-dto-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-hornetq-protocol-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-hqclient-protocol-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-jdbc-store-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-jms-client-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-jms-server-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-journal-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-ra-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-selector-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-server-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-service-extensions-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-activemq-artemis-tools-2.16.0-7.redhat_00034.1.el8eap.noarch.rpm\neap7-ecj-3.26.0-1.redhat_00002.1.el8eap.noarch.rpm\neap7-hal-console-3.3.9-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-hibernate-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm\neap7-hibernate-core-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm\neap7-hibernate-entitymanager-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm\neap7-hibernate-envers-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm\neap7-hibernate-java8-5.3.25-1.Final_redhat_00002.1.el8eap.noarch.rpm\neap7-infinispan-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-cachestore-jdbc-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-cachestore-remote-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-client-hotrod-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-commons-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-component-annotations-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-core-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-hibernate-cache-commons-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-hibernate-cache-spi-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-hibernate-cache-v53-11.0.15-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-server-migration-1.10.0-15.Final_redhat_00014.1.el8eap.noarch.rpm\neap7-jboss-server-migration-cli-1.10.0-15.Final_redhat_00014.1.el8eap.noarch.rpm\neap7-jboss-server-migration-core-1.10.0-15.Final_redhat_00014.1.el8eap.noarch.rpm\neap7-jboss-vfs-3.2.16-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-xnio-base-3.8.6-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-jbossws-cxf-5.4.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-log4j-2.17.1-1.redhat_00001.1.el8eap.noarch.rpm\neap7-narayana-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-narayana-compensations-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-narayana-jbosstxbridge-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-narayana-jbossxts-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-narayana-jts-idlj-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-narayana-jts-integration-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-narayana-restat-api-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-narayana-restat-bridge-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-narayana-restat-integration-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-narayana-restat-util-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-narayana-txframework-5.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-objectweb-asm-9.1.0-1.redhat_00002.1.el8eap.noarch.rpm\neap7-undertow-2.2.16-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-7.4.4-3.GA_redhat_00011.1.el8eap.noarch.rpm\neap7-wildfly-elytron-1.15.11-1.Final_redhat_00002.1.el8eap.noarch.rpm\neap7-wildfly-elytron-tool-1.15.11-1.Final_redhat_00002.1.el8eap.noarch.rpm\neap7-wildfly-javadocs-7.4.4-3.GA_redhat_00011.1.el8eap.noarch.rpm\neap7-wildfly-modules-7.4.4-3.GA_redhat_00011.1.el8eap.noarch.rpm\neap7-wildfly-openssl-2.2.0-3.Final_redhat_00002.1.el8eap.noarch.rpm\neap7-wildfly-openssl-java-2.2.0-3.Final_redhat_00002.1.el8eap.noarch.rpm\neap7-xom-1.3.7-1.redhat_00001.1.el8eap.noarch.rpm\neap7-yasson-1.0.10-1.redhat_00001.1.el8eap.noarch.rpm\n\nx86_64:\neap7-wildfly-openssl-el8-x86_64-2.2.0-2.Final_redhat_00002.1.el8eap.x86_64.rpm\neap7-wildfly-openssl-el8-x86_64-debuginfo-2.2.0-2.Final_redhat_00002.1.el8eap.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-4104\nhttps://access.redhat.com/security/cve/CVE-2021-44832\nhttps://access.redhat.com/security/cve/CVE-2021-45046\nhttps://access.redhat.com/security/cve/CVE-2021-45105\nhttps://access.redhat.com/security/cve/CVE-2022-23302\nhttps://access.redhat.com/security/cve/CVE-2022-23305\nhttps://access.redhat.com/security/cve/CVE-2022-23307\nhttps://access.redhat.com/security/updates/classification/#low\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/\n\n9. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYlRUqtzjgjWX9erEAQhXfxAApQ6HkBUo8Tg+GWEosSpAx0AEsVPMojWK\nHU3uJRF8jp0KXqchc+KVlalBJAWHPBUDr4xBpsISqwr7T/9iYonKlo4ijA/68b2K\nkhbFyt6o6i2dXrYygT5fcMtukSjN2T/hfCc2ZE2yiHTO3Ou4AALyZ2xCyYtfSpuZ\nrZLVvgCWrnak2msgkoNl0/sZxnjw6b+ZJczKkq3QqPVWOYlV/Qdl5NGy16i0rbEo\nP1rWXJrOUlEBctJEs756cqeIJesYKHZqqPx/kHaNyzdxDh99hKGZx7oturscAN6e\nsPfSSdyd5jsOcWD7UlHV9ukoPQxf1ouVBa0qkpL0wCoR3GFF6Pls1bMEFzUoz3/R\nIwagVxsr38duK3isv34l6IQ+RP0oSWN0rgPUu69tAlEV+YwLgA5JUOpz1i7FTmXt\nl3i5+wMlo9Xc/Hy+j7unW8Do7s/i0YuFVTuM6H9KEITuFjgFA2tB9CpzoAFzWLk0\nU8zCL80Rwy1wiMydSrLjtg3YUPB6ibh2NJ02O7R+bNhJ8bN4yuDuWkDqy4VdPXGp\nzhed3dZmYAXD9/x+mnfghcbJZwigzGT9Qv78zYafB3f8K7cEVEDJK3aZMOkkh9ca\ndcaLs5WRv8ZTytFPv+KGKRJ/cc/UHAvh8zumMZdVMp1oty/k/OYWhgaEJMWGQDCe\nUnHI/WwB37w=\n=eCh2\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. The purpose of this text-only\nerrata is to inform you about the security issues fixed in this release. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor the oldstable distribution (buster), this problem has been fixed\nin version 2.16.0-1~deb10u1. \n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 2.16.0-1~deb11u1. \n\nWe recommend that you upgrade your apache-log4j2 packages. \n\nFor the detailed security status of apache-log4j2 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/apache-log4j2\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG7FI5fFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD\nRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7\nUeSqOg//XOye7T/8PKOrrUtHFhH+w2dOC0GujwcIS2mhofVuZQTPYvM5uTZxDTuz\nrQN+T505t9QaP3sF05gXK6VI675HhgmF3d+vDEnhp8QpZX5HeJrmmX44FewZQAqP\nyMysAuwG1RJ0Qgs7NmppU/XJBnmhJLsqsW99kcDnNXS67D23e1nUqAEDME5baSoF\nVPc50Up/yh4DE28Jcs8Mh2cM8UqmeLEQJ8XC3IojQLhmOF1UBJuL4K0sEUqWtJeN\nTytHya2XdfIIZcRolHe6AUeiLP5JpitbqkVP+hEeruAvk8nTGsLi0HMbWxA9LLcB\nbB9KKJjf6xndRa/t/IXGMzwr883t5/YLdxbCFcGj9M4Bfj7SAhGdgnJHZaRt1quX\nVcqnu1pDHpdFuRX4t6oqF9R0uiBGeupZmGdb1y7os+FU2EbTRYU0rlnhfOsou0ex\nVh5sFKFDhgWUQoyuVUMh6eOZ7p92GTzbw5kPkvboa7Xdrs02m7ChLlh8f5ajRFrK\nWbAcwsBj6RK4dmtdvfO2sVEuRTpFQ3qtecwZUR0pqUIjJ+rfurSGmpPr3iOrBu2s\nROol/vLfW5uZd6RxSNbt3twPcwBaZagFQCcDY27Yz0sH6DlQUmWed1KJjbRaZ7fn\ncqjFisSZxu8d5VoAtjMSP8l95FoAm53r9Q1HCZvXqRhBjFNoYqE=\n=TNnt\n-----END PGP SIGNATURE-----\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202310-16\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: Ubiquiti UniFi: remote code execution via bundled log4j\n Date: October 26, 2023\n Bugs: #828853\n ID: 202310-16\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n=======\nA vulnerability has been discovered in unifi where bundled log4j can\nfacilitate a remote code execution\n\nBackground\n=========\nUbiquiti UniFi is a Management Controller for Ubiquiti Networks UniFi\nAPs. \nPlease review the CVE identifier referenced below for details. \n\nImpact\n=====\nAn attacker with permission to modify the logging configuration file can\nconstruct a malicious configuration using a JDBC Appender with a data\nsource referencing a JNDI URI which can execute remote code. \n\nWorkaround\n=========\nThere is no known workaround at this time. \n\nResolution\n=========\nAll Ubiquity UniFi users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-wireless/unifi-6.5.55\"\n\nReferences\n=========\n[ 1 ] CVE-2021-4104\n https://nvd.nist.gov/vuln/detail/CVE-2021-4104\n[ 2 ] CVE-2021-45046\n https://nvd.nist.gov/vuln/detail/CVE-2021-45046\n\nAvailability\n===========\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202310-16\n\nConcerns?\n========\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n======\nCopyright 2023 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n", "sources": [ { "db": "NVD", "id": "CVE-2021-45046" }, { "db": "CERT/CC", "id": "VU#930724" }, { "db": "PACKETSTORM", "id": "165326" }, { "db": "PACKETSTORM", "id": "165333" }, { "db": "PACKETSTORM", "id": "165636" }, { "db": "PACKETSTORM", "id": "165649" }, { "db": "PACKETSTORM", "id": "166676" }, { "db": "PACKETSTORM", "id": "166677" }, { "db": "PACKETSTORM", "id": "165650" }, { "db": "PACKETSTORM", "id": "169180" }, { "db": "PACKETSTORM", "id": "175367" } ], "trust": 2.43 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-45046", "trust": 3.3 }, { "db": "CERT/CC", "id": "VU#930724", "trust": 2.4 }, { "db": "SIEMENS", "id": "SSA-714170", "trust": 1.6 }, { "db": "SIEMENS", "id": "SSA-397453", "trust": 1.6 }, { "db": "SIEMENS", "id": "SSA-479842", "trust": 1.6 }, { "db": "SIEMENS", "id": "SSA-661247", "trust": 1.6 }, { "db": "OPENWALL", "id": "OSS-SECURITY/2021/12/15/3", "trust": 1.6 }, { "db": "OPENWALL", "id": "OSS-SECURITY/2021/12/14/4", "trust": 1.6 }, { "db": "OPENWALL", "id": "OSS-SECURITY/2021/12/18/1", "trust": 1.6 }, { "db": "PACKETSTORM", "id": "165333", "trust": 0.7 }, { "db": "PACKETSTORM", "id": "165649", "trust": 0.7 }, { "db": "PACKETSTORM", "id": "166676", "trust": 0.7 }, { "db": "PACKETSTORM", "id": "166677", "trust": 0.7 }, { "db": "LENOVO", "id": "LEN-76573", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021122212", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022042115", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022020815", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022010517", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022012731", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022012443", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021121651", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021122726", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022060708", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021122119", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022012730", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021122018", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022010632", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021122814", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022062006", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022032405", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022022126", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021121516", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022012501", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021123016", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022010325", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022012045", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022020602", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022010421", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022011034", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022011226", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021121720", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022072076", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022021429", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022060808", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022030923", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021122307", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021122908", "trust": 0.6 }, { "db": "PACKETSTORM", "id": "165343", "trust": 0.6 }, { "db": "PACKETSTORM", "id": "165645", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.0332", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.4257", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.0086", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.4187.6", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.4295", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.4186.3", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.0247", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.0199", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.0240", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.4186.4", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.4302.3", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.4198.4", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.0090", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202112-1065", "trust": 0.6 }, { "db": "PACKETSTORM", "id": "165326", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "165636", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "165650", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "169180", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "175367", "trust": 0.1 } ], "sources": [ { "db": "CERT/CC", "id": "VU#930724" }, { "db": "PACKETSTORM", "id": "165326" }, { "db": "PACKETSTORM", "id": "165333" }, { "db": "PACKETSTORM", "id": "165636" }, { "db": "PACKETSTORM", "id": "165649" }, { "db": "PACKETSTORM", "id": "166676" }, { "db": "PACKETSTORM", "id": "166677" }, { "db": "PACKETSTORM", "id": "165650" }, { "db": "PACKETSTORM", "id": "169180" }, { "db": "PACKETSTORM", "id": "175367" }, { "db": "CNNVD", "id": "CNNVD-202112-1065" }, { "db": "NVD", "id": "CVE-2021-45046" } ] }, "id": "VAR-202112-0562", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.6654401050000001 }, "last_update_date": "2024-07-23T21:05:01.160000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Apache Log4j Fixes for code issue vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=175394" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202112-1065" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-917", "trust": 1.0 } ], "sources": [ { "db": "NVD", "id": "CVE-2021-45046" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.6, "url": "https://www.cve.org/cverecord?id=cve-2021-44228" }, { "trust": 1.6, "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "trust": 1.6, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/eokpqgv24rrbbi4tbzudqmm4meh7mxcy/" }, { "trust": 1.6, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/sig7fzulmnk2xf6fzru4vwydqxnmugaj/" }, { "trust": 1.6, "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "trust": 1.6, "url": "https://psirt.global.sonicwall.com/vuln-detail/snwlid-2021-0032" }, { "trust": 1.6, "url": "https://www.kb.cert.org/vuls/id/930724" }, { "trust": 1.6, "url": "http://www.openwall.com/lists/oss-security/2021/12/18/1" }, { "trust": 1.6, "url": "http://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "trust": 1.6, "url": "http://www.openwall.com/lists/oss-security/2021/12/15/3" }, { "trust": 1.6, "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf" }, { "trust": 1.6, "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf" }, { "trust": 1.6, "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html" }, { "trust": 1.6, "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "trust": 1.6, "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf" }, { "trust": 1.6, "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "trust": 1.6, "url": "https://www.debian.org/security/2021/dsa-5022" }, { "trust": 1.6, "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-log4j-qruknebd" }, { "trust": 1.6, "url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html" }, { "trust": 1.6, "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf" }, { "trust": 1.3, "url": "https://access.redhat.com/security/cve/cve-2021-45046" }, { "trust": 1.1, "url": "https://security.gentoo.org/glsa/202310-16" }, { "trust": 0.9, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-45046" }, { "trust": 0.8, "url": "cve-2021-4104 " }, { "trust": 0.8, "url": "cve-2021-44228 " }, { "trust": 0.8, "url": "cve-2021-45046 " }, { "trust": 0.7, "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.7, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.7, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.6, "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/eokpqgv24rrbbi4tbzudqmm4meh7mxcy/" }, { "trust": 0.6, "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/sig7fzulmnk2xf6fzru4vwydqxnmugaj/" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022060808" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022072076" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.0086" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.0240" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.4186.4" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.4186.3" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021122212" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022012731" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.4302.3" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/165649/red-hat-security-advisory-2022-0222-02.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021122814" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/165645/red-hat-security-advisory-2022-0205-02.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021121720" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021122018" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022010632" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022012730" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/166676/red-hat-security-advisory-2022-1297-01.html" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.0199" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022010517" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022020602" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/apache-log4j-denial-of-service-via-thread-context-message-pattern-37075" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.4257" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/165333/red-hat-security-advisory-2021-5106-04.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022012501" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022062006" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021123016" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/165343/red-hat-security-advisory-2021-5107-06.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021122726" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021121516" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.4295" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022010325" }, { "trust": 0.6, "url": "https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20211215-01-log4j-cn" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021122908" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022060708" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6527436" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022011226" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6528374" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022032405" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021122119" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.0332" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022030923" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.4198.4" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6527886" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022042115" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.0090" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6526750" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022022126" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021121651" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022021429" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.4187.6" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022020815" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021122307" }, { "trust": 0.6, "url": "https://support.lenovo.com/us/en/product_security/len-76573" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022012045" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/166677/red-hat-security-advisory-2022-1296-01.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022011034" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022012443" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022010421" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.0247" }, { "trust": 0.5, "url": "https://access.redhat.com/security/cve/cve-2021-44832" }, { "trust": 0.5, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-45105" }, { "trust": 0.5, "url": "https://access.redhat.com/security/cve/cve-2021-45105" }, { "trust": 0.5, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-44832" }, { "trust": 0.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4104" }, { "trust": 0.4, "url": "https://access.redhat.com/articles/11258" }, { "trust": 0.3, "url": "https://access.redhat.com/security/vulnerabilities/rhsb-2021-009" }, { "trust": 0.3, "url": "https://access.redhat.com/security/cve/cve-2021-4104" }, { "trust": 0.3, "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "trust": 0.3, "url": "https://access.redhat.com/security/updates/classification/#low" }, { "trust": 0.3, "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "trust": 0.2, "url": "https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-44228" }, { "trust": 0.2, "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-44228" }, { "trust": 0.2, "url": "https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html" }, { "trust": 0.2, "url": "https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q1" }, { "trust": 0.2, "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "trust": 0.2, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=red.hat.integration\u0026version" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23307" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23302" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23305" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-23302" }, { "trust": 0.2, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-23305" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-23307" }, { "trust": 0.2, "url": "https://issues.jboss.org/):" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2021:5141" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2021:5106" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches\u0026product=appplatform\u0026version=7.4" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:0216" }, { "trust": 0.1, "url": "https://access.redhat.com/solutions/6577421" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:0222" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:1297" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:1296" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:0223" }, { "trust": 0.1, "url": "https://www.debian.org/security/faq" }, { "trust": 0.1, "url": "https://security-tracker.debian.org/tracker/apache-log4j2" }, { "trust": 0.1, "url": "https://www.debian.org/security/" }, { "trust": 0.1, "url": "https://bugs.gentoo.org." }, { "trust": 0.1, "url": "https://creativecommons.org/licenses/by-sa/2.5" }, { "trust": 0.1, "url": "https://security.gentoo.org/" } ], "sources": [ { "db": "CERT/CC", "id": "VU#930724" }, { "db": "PACKETSTORM", "id": "165326" }, { "db": "PACKETSTORM", "id": "165333" }, { "db": "PACKETSTORM", "id": "165636" }, { "db": "PACKETSTORM", "id": "165649" }, { "db": "PACKETSTORM", "id": "166676" }, { "db": "PACKETSTORM", "id": "166677" }, { "db": "PACKETSTORM", "id": "165650" }, { "db": "PACKETSTORM", "id": "169180" }, { "db": "PACKETSTORM", "id": "175367" }, { "db": "CNNVD", "id": "CNNVD-202112-1065" }, { "db": "NVD", "id": "CVE-2021-45046" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CERT/CC", "id": "VU#930724" }, { "db": "PACKETSTORM", "id": "165326" }, { "db": "PACKETSTORM", "id": "165333" }, { "db": "PACKETSTORM", "id": "165636" }, { "db": "PACKETSTORM", "id": "165649" }, { "db": "PACKETSTORM", "id": "166676" }, { "db": "PACKETSTORM", "id": "166677" }, { "db": "PACKETSTORM", "id": "165650" }, { "db": "PACKETSTORM", "id": "169180" }, { "db": "PACKETSTORM", "id": "175367" }, { "db": "CNNVD", "id": "CNNVD-202112-1065" }, { "db": "NVD", "id": "CVE-2021-45046" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-12-15T00:00:00", "db": "CERT/CC", "id": "VU#930724" }, { "date": "2021-12-16T15:22:54", "db": "PACKETSTORM", "id": "165326" }, { "date": "2021-12-16T15:34:27", "db": "PACKETSTORM", "id": "165333" }, { "date": "2022-01-20T17:49:52", "db": "PACKETSTORM", "id": "165636" }, { "date": "2022-01-21T15:29:08", "db": "PACKETSTORM", "id": "165649" }, { "date": "2022-04-11T17:14:49", "db": "PACKETSTORM", "id": "166676" }, { "date": "2022-04-11T17:15:55", "db": "PACKETSTORM", "id": "166677" }, { "date": "2022-01-21T15:29:54", "db": "PACKETSTORM", "id": "165650" }, { "date": "2021-12-28T20:12:00", "db": "PACKETSTORM", "id": "169180" }, { "date": "2023-10-26T14:46:58", "db": "PACKETSTORM", "id": "175367" }, { "date": "2021-12-14T00:00:00", "db": "CNNVD", "id": "CNNVD-202112-1065" }, { "date": "2021-12-14T19:15:07.733000", "db": "NVD", "id": "CVE-2021-45046" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-02-07T00:00:00", "db": "CERT/CC", "id": "VU#930724" }, { "date": "2023-06-28T00:00:00", "db": "CNNVD", "id": "CNNVD-202112-1065" }, { "date": "2024-06-27T19:24:09.027000", "db": "NVD", "id": "CVE-2021-45046" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "PACKETSTORM", "id": "166676" }, { "db": "PACKETSTORM", "id": "166677" }, { "db": "PACKETSTORM", "id": "175367" }, { "db": "CNNVD", "id": "CNNVD-202112-1065" } ], "trust": 0.9 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Apache Log4j allows insecure JNDI lookups", "sources": [ { "db": "CERT/CC", "id": "VU#930724" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "code execution", "sources": [ { "db": "PACKETSTORM", "id": "165326" }, { "db": "PACKETSTORM", "id": "165333" }, { "db": "PACKETSTORM", "id": "165636" }, { "db": "PACKETSTORM", "id": "165649" }, { "db": "PACKETSTORM", "id": "165650" }, { "db": "PACKETSTORM", "id": "175367" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.