csaf_redhat - rhsa-2022

rhsa-2022_0042

Vulnerability from csaf_redhat

Published

2022-01-10 06:37

Modified

2024-11-10 19:26

Summary

Red Hat Security Advisory: Red Hat OpenShift Enterprise Logging security and bug fix update (5.1.6)

Notes

Topic

An update is now available for OpenShift Logging (5.1.6) Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Openshift Logging Bug Fix Release (5.1.6) Security Fix(es): * log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for OpenShift Logging (5.1.6)\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Openshift Logging Bug Fix Release (5.1.6)\n\nSecurity Fix(es):\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:0042",
        "url": "https://access.redhat.com/errata/RHSA-2022:0042"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#low",
        "url": "https://access.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "2034067",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067"
      },
      {
        "category": "external",
        "summary": "LOG-1868",
        "url": "https://issues.redhat.com/browse/LOG-1868"
      },
      {
        "category": "external",
        "summary": "LOG-2022",
        "url": "https://issues.redhat.com/browse/LOG-2022"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0042.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat OpenShift Enterprise Logging security and bug fix update (5.1.6)",
    "tracking": {
      "current_release_date": "2024-11-10T19:26:49+00:00",
      "generator": {
        "date": "2024-11-10T19:26:49+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2022:0042",
      "initial_release_date": "2022-01-10T06:37:56+00:00",
      "revision_history": [
        {
          "date": "2022-01-10T06:37:56+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-01-10T06:37:56+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-10T19:26:49+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Logging 5.1",
                "product": {
                  "name": "OpenShift Logging 5.1",
                  "product_id": "8Base-OSE-LOGGING-5.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:logging:5.1::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:ac41da9ee00bb755906009e21df87e586b7565a92f3b716fb99e72d744ef9ffe_ppc64le",
                "product": {
                  "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:ac41da9ee00bb755906009e21df87e586b7565a92f3b716fb99e72d744ef9ffe_ppc64le",
                  "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:ac41da9ee00bb755906009e21df87e586b7565a92f3b716fb99e72d744ef9ffe_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:ac41da9ee00bb755906009e21df87e586b7565a92f3b716fb99e72d744ef9ffe?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.6-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:757895d2dc77ffa86176a5a66b07e4a74306513a3b3bde9d66ba41b8a4cc2961_ppc64le",
                "product": {
                  "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:757895d2dc77ffa86176a5a66b07e4a74306513a3b3bde9d66ba41b8a4cc2961_ppc64le",
                  "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:757895d2dc77ffa86176a5a66b07e4a74306513a3b3bde9d66ba41b8a4cc2961_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:757895d2dc77ffa86176a5a66b07e4a74306513a3b3bde9d66ba41b8a4cc2961?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.6-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e0116ef235fda9d4a07f10a9c5e8727daba6a9b7fb1b5aaa9ce5d870539ae1fe_ppc64le",
                "product": {
                  "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e0116ef235fda9d4a07f10a9c5e8727daba6a9b7fb1b5aaa9ce5d870539ae1fe_ppc64le",
                  "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e0116ef235fda9d4a07f10a9c5e8727daba6a9b7fb1b5aaa9ce5d870539ae1fe_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:e0116ef235fda9d4a07f10a9c5e8727daba6a9b7fb1b5aaa9ce5d870539ae1fe?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-87"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/elasticsearch6-rhel8@sha256:0bda3c71be7183afc13247ae55ca2f5b11193a82c8440a883aa73e403b5f77f6_ppc64le",
                "product": {
                  "name": "openshift-logging/elasticsearch6-rhel8@sha256:0bda3c71be7183afc13247ae55ca2f5b11193a82c8440a883aa73e403b5f77f6_ppc64le",
                  "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:0bda3c71be7183afc13247ae55ca2f5b11193a82c8440a883aa73e403b5f77f6_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/elasticsearch6-rhel8@sha256:0bda3c71be7183afc13247ae55ca2f5b11193a82c8440a883aa73e403b5f77f6?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-82"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/eventrouter-rhel8@sha256:cd4cb336303f187cec94043368fd30de9b79932fd29c2909fc08a623e4cc4c51_ppc64le",
                "product": {
                  "name": "openshift-logging/eventrouter-rhel8@sha256:cd4cb336303f187cec94043368fd30de9b79932fd29c2909fc08a623e4cc4c51_ppc64le",
                  "product_id": "openshift-logging/eventrouter-rhel8@sha256:cd4cb336303f187cec94043368fd30de9b79932fd29c2909fc08a623e4cc4c51_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/eventrouter-rhel8@sha256:cd4cb336303f187cec94043368fd30de9b79932fd29c2909fc08a623e4cc4c51?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-81"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/fluentd-rhel8@sha256:cf140d111408ed3cf2b245a6953de7fc1e958a1bfe18c430883fd95a612e4e6f_ppc64le",
                "product": {
                  "name": "openshift-logging/fluentd-rhel8@sha256:cf140d111408ed3cf2b245a6953de7fc1e958a1bfe18c430883fd95a612e4e6f_ppc64le",
                  "product_id": "openshift-logging/fluentd-rhel8@sha256:cf140d111408ed3cf2b245a6953de7fc1e958a1bfe18c430883fd95a612e4e6f_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/fluentd-rhel8@sha256:cf140d111408ed3cf2b245a6953de7fc1e958a1bfe18c430883fd95a612e4e6f?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-88"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/kibana6-rhel8@sha256:3cfa1f6fbe2374fe7393003f2bb1f1971d962398f7f4924e05837c54d4cacf06_ppc64le",
                "product": {
                  "name": "openshift-logging/kibana6-rhel8@sha256:3cfa1f6fbe2374fe7393003f2bb1f1971d962398f7f4924e05837c54d4cacf06_ppc64le",
                  "product_id": "openshift-logging/kibana6-rhel8@sha256:3cfa1f6fbe2374fe7393003f2bb1f1971d962398f7f4924e05837c54d4cacf06_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kibana6-rhel8@sha256:3cfa1f6fbe2374fe7393003f2bb1f1971d962398f7f4924e05837c54d4cacf06?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-93"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:6628f6ce35760597d9ec97f6c5ffaca403728f0aac44f5d5d7d23f2c0a11911f_amd64",
                "product": {
                  "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:6628f6ce35760597d9ec97f6c5ffaca403728f0aac44f5d5d7d23f2c0a11911f_amd64",
                  "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:6628f6ce35760597d9ec97f6c5ffaca403728f0aac44f5d5d7d23f2c0a11911f_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:6628f6ce35760597d9ec97f6c5ffaca403728f0aac44f5d5d7d23f2c0a11911f?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.6-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/cluster-logging-operator-bundle@sha256:5aed9db163e965f2786e00f5cc27e2ae738a5ea400fde65403def07b56f9b44e_amd64",
                "product": {
                  "name": "openshift-logging/cluster-logging-operator-bundle@sha256:5aed9db163e965f2786e00f5cc27e2ae738a5ea400fde65403def07b56f9b44e_amd64",
                  "product_id": "openshift-logging/cluster-logging-operator-bundle@sha256:5aed9db163e965f2786e00f5cc27e2ae738a5ea400fde65403def07b56f9b44e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cluster-logging-operator-bundle@sha256:5aed9db163e965f2786e00f5cc27e2ae738a5ea400fde65403def07b56f9b44e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-operator-bundle\u0026tag=v5.1.6-18"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:2144ec2733a579ba4f6ff21f5a733f5ad52068ec7dc54252bbcbf38bdf9bde06_amd64",
                "product": {
                  "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:2144ec2733a579ba4f6ff21f5a733f5ad52068ec7dc54252bbcbf38bdf9bde06_amd64",
                  "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:2144ec2733a579ba4f6ff21f5a733f5ad52068ec7dc54252bbcbf38bdf9bde06_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:2144ec2733a579ba4f6ff21f5a733f5ad52068ec7dc54252bbcbf38bdf9bde06?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.6-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/elasticsearch-operator-bundle@sha256:26cc3b0f2cf973f88251875484958a87c0184a26693385c5801edc0aa87b46ec_amd64",
                "product": {
                  "name": "openshift-logging/elasticsearch-operator-bundle@sha256:26cc3b0f2cf973f88251875484958a87c0184a26693385c5801edc0aa87b46ec_amd64",
                  "product_id": "openshift-logging/elasticsearch-operator-bundle@sha256:26cc3b0f2cf973f88251875484958a87c0184a26693385c5801edc0aa87b46ec_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/elasticsearch-operator-bundle@sha256:26cc3b0f2cf973f88251875484958a87c0184a26693385c5801edc0aa87b46ec?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-operator-bundle\u0026tag=v5.1.6-18"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:dbd6862307c3a4fc5c5ab67dbafb7be453ba3f1c7e914f2afc25bb817cb24b0e_amd64",
                "product": {
                  "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:dbd6862307c3a4fc5c5ab67dbafb7be453ba3f1c7e914f2afc25bb817cb24b0e_amd64",
                  "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:dbd6862307c3a4fc5c5ab67dbafb7be453ba3f1c7e914f2afc25bb817cb24b0e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:dbd6862307c3a4fc5c5ab67dbafb7be453ba3f1c7e914f2afc25bb817cb24b0e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-87"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/elasticsearch6-rhel8@sha256:fef623d868f3c6f16d39f1853e236e52fbdf48f529b8fec4db21301d4fabecd5_amd64",
                "product": {
                  "name": "openshift-logging/elasticsearch6-rhel8@sha256:fef623d868f3c6f16d39f1853e236e52fbdf48f529b8fec4db21301d4fabecd5_amd64",
                  "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:fef623d868f3c6f16d39f1853e236e52fbdf48f529b8fec4db21301d4fabecd5_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/elasticsearch6-rhel8@sha256:fef623d868f3c6f16d39f1853e236e52fbdf48f529b8fec4db21301d4fabecd5?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-82"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/eventrouter-rhel8@sha256:604e76ac4d6d562991adb4931b94cf499d9c06453c2f82376736ecae18495658_amd64",
                "product": {
                  "name": "openshift-logging/eventrouter-rhel8@sha256:604e76ac4d6d562991adb4931b94cf499d9c06453c2f82376736ecae18495658_amd64",
                  "product_id": "openshift-logging/eventrouter-rhel8@sha256:604e76ac4d6d562991adb4931b94cf499d9c06453c2f82376736ecae18495658_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/eventrouter-rhel8@sha256:604e76ac4d6d562991adb4931b94cf499d9c06453c2f82376736ecae18495658?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-81"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/fluentd-rhel8@sha256:dc891c8949a461c01dee41d9fff21a13b7ca9b7521c9be79363549bbf7fd6427_amd64",
                "product": {
                  "name": "openshift-logging/fluentd-rhel8@sha256:dc891c8949a461c01dee41d9fff21a13b7ca9b7521c9be79363549bbf7fd6427_amd64",
                  "product_id": "openshift-logging/fluentd-rhel8@sha256:dc891c8949a461c01dee41d9fff21a13b7ca9b7521c9be79363549bbf7fd6427_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/fluentd-rhel8@sha256:dc891c8949a461c01dee41d9fff21a13b7ca9b7521c9be79363549bbf7fd6427?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-88"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/kibana6-rhel8@sha256:1aac827a9fb85bd9340c887790d9ef3577a77b8105a0f8fcd9897c603354450c_amd64",
                "product": {
                  "name": "openshift-logging/kibana6-rhel8@sha256:1aac827a9fb85bd9340c887790d9ef3577a77b8105a0f8fcd9897c603354450c_amd64",
                  "product_id": "openshift-logging/kibana6-rhel8@sha256:1aac827a9fb85bd9340c887790d9ef3577a77b8105a0f8fcd9897c603354450c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kibana6-rhel8@sha256:1aac827a9fb85bd9340c887790d9ef3577a77b8105a0f8fcd9897c603354450c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-93"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:49580fc09b09288cd708481e3d2a81e9fdcbd875d23e444a80a54d20165417d1_s390x",
                "product": {
                  "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:49580fc09b09288cd708481e3d2a81e9fdcbd875d23e444a80a54d20165417d1_s390x",
                  "product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:49580fc09b09288cd708481e3d2a81e9fdcbd875d23e444a80a54d20165417d1_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:49580fc09b09288cd708481e3d2a81e9fdcbd875d23e444a80a54d20165417d1?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.6-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:c1bb2b5fa69b561e3f65c262059a4784e1ac3d08afc05c1eac109a0b198f65d1_s390x",
                "product": {
                  "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:c1bb2b5fa69b561e3f65c262059a4784e1ac3d08afc05c1eac109a0b198f65d1_s390x",
                  "product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:c1bb2b5fa69b561e3f65c262059a4784e1ac3d08afc05c1eac109a0b198f65d1_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:c1bb2b5fa69b561e3f65c262059a4784e1ac3d08afc05c1eac109a0b198f65d1?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.6-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:a68b9ed7b19e8289de0efce89bf0253b79703b46e4a0b54b7953202fea6f6513_s390x",
                "product": {
                  "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:a68b9ed7b19e8289de0efce89bf0253b79703b46e4a0b54b7953202fea6f6513_s390x",
                  "product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:a68b9ed7b19e8289de0efce89bf0253b79703b46e4a0b54b7953202fea6f6513_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:a68b9ed7b19e8289de0efce89bf0253b79703b46e4a0b54b7953202fea6f6513?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-87"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/elasticsearch6-rhel8@sha256:74bc681d8c448a4bdff547b3f8119028e904c64c710fb1b5bb4ee016b13c2fdc_s390x",
                "product": {
                  "name": "openshift-logging/elasticsearch6-rhel8@sha256:74bc681d8c448a4bdff547b3f8119028e904c64c710fb1b5bb4ee016b13c2fdc_s390x",
                  "product_id": "openshift-logging/elasticsearch6-rhel8@sha256:74bc681d8c448a4bdff547b3f8119028e904c64c710fb1b5bb4ee016b13c2fdc_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/elasticsearch6-rhel8@sha256:74bc681d8c448a4bdff547b3f8119028e904c64c710fb1b5bb4ee016b13c2fdc?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-82"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/eventrouter-rhel8@sha256:28f20684e4478a2a083039e5554ad364d764d3af9c07529b4c41b1feaed8183c_s390x",
                "product": {
                  "name": "openshift-logging/eventrouter-rhel8@sha256:28f20684e4478a2a083039e5554ad364d764d3af9c07529b4c41b1feaed8183c_s390x",
                  "product_id": "openshift-logging/eventrouter-rhel8@sha256:28f20684e4478a2a083039e5554ad364d764d3af9c07529b4c41b1feaed8183c_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/eventrouter-rhel8@sha256:28f20684e4478a2a083039e5554ad364d764d3af9c07529b4c41b1feaed8183c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-81"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/fluentd-rhel8@sha256:ad2c3d7447af955402d903f83790f88d5f6d29cc523b54933c68d80366e5346e_s390x",
                "product": {
                  "name": "openshift-logging/fluentd-rhel8@sha256:ad2c3d7447af955402d903f83790f88d5f6d29cc523b54933c68d80366e5346e_s390x",
                  "product_id": "openshift-logging/fluentd-rhel8@sha256:ad2c3d7447af955402d903f83790f88d5f6d29cc523b54933c68d80366e5346e_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/fluentd-rhel8@sha256:ad2c3d7447af955402d903f83790f88d5f6d29cc523b54933c68d80366e5346e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-88"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-logging/kibana6-rhel8@sha256:43e78035965f037c2d03060de332556fd996f91afef969dba80c90981e43ccd7_s390x",
                "product": {
                  "name": "openshift-logging/kibana6-rhel8@sha256:43e78035965f037c2d03060de332556fd996f91afef969dba80c90981e43ccd7_s390x",
                  "product_id": "openshift-logging/kibana6-rhel8@sha256:43e78035965f037c2d03060de332556fd996f91afef969dba80c90981e43ccd7_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kibana6-rhel8@sha256:43e78035965f037c2d03060de332556fd996f91afef969dba80c90981e43ccd7?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-93"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/cluster-logging-operator-bundle@sha256:5aed9db163e965f2786e00f5cc27e2ae738a5ea400fde65403def07b56f9b44e_amd64 as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:5aed9db163e965f2786e00f5cc27e2ae738a5ea400fde65403def07b56f9b44e_amd64"
        },
        "product_reference": "openshift-logging/cluster-logging-operator-bundle@sha256:5aed9db163e965f2786e00f5cc27e2ae738a5ea400fde65403def07b56f9b44e_amd64",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:49580fc09b09288cd708481e3d2a81e9fdcbd875d23e444a80a54d20165417d1_s390x as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:49580fc09b09288cd708481e3d2a81e9fdcbd875d23e444a80a54d20165417d1_s390x"
        },
        "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:49580fc09b09288cd708481e3d2a81e9fdcbd875d23e444a80a54d20165417d1_s390x",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:6628f6ce35760597d9ec97f6c5ffaca403728f0aac44f5d5d7d23f2c0a11911f_amd64 as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:6628f6ce35760597d9ec97f6c5ffaca403728f0aac44f5d5d7d23f2c0a11911f_amd64"
        },
        "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:6628f6ce35760597d9ec97f6c5ffaca403728f0aac44f5d5d7d23f2c0a11911f_amd64",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/cluster-logging-rhel8-operator@sha256:ac41da9ee00bb755906009e21df87e586b7565a92f3b716fb99e72d744ef9ffe_ppc64le as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ac41da9ee00bb755906009e21df87e586b7565a92f3b716fb99e72d744ef9ffe_ppc64le"
        },
        "product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:ac41da9ee00bb755906009e21df87e586b7565a92f3b716fb99e72d744ef9ffe_ppc64le",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/elasticsearch-operator-bundle@sha256:26cc3b0f2cf973f88251875484958a87c0184a26693385c5801edc0aa87b46ec_amd64 as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:26cc3b0f2cf973f88251875484958a87c0184a26693385c5801edc0aa87b46ec_amd64"
        },
        "product_reference": "openshift-logging/elasticsearch-operator-bundle@sha256:26cc3b0f2cf973f88251875484958a87c0184a26693385c5801edc0aa87b46ec_amd64",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:a68b9ed7b19e8289de0efce89bf0253b79703b46e4a0b54b7953202fea6f6513_s390x as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a68b9ed7b19e8289de0efce89bf0253b79703b46e4a0b54b7953202fea6f6513_s390x"
        },
        "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:a68b9ed7b19e8289de0efce89bf0253b79703b46e4a0b54b7953202fea6f6513_s390x",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:dbd6862307c3a4fc5c5ab67dbafb7be453ba3f1c7e914f2afc25bb817cb24b0e_amd64 as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:dbd6862307c3a4fc5c5ab67dbafb7be453ba3f1c7e914f2afc25bb817cb24b0e_amd64"
        },
        "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:dbd6862307c3a4fc5c5ab67dbafb7be453ba3f1c7e914f2afc25bb817cb24b0e_amd64",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e0116ef235fda9d4a07f10a9c5e8727daba6a9b7fb1b5aaa9ce5d870539ae1fe_ppc64le as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:e0116ef235fda9d4a07f10a9c5e8727daba6a9b7fb1b5aaa9ce5d870539ae1fe_ppc64le"
        },
        "product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e0116ef235fda9d4a07f10a9c5e8727daba6a9b7fb1b5aaa9ce5d870539ae1fe_ppc64le",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:2144ec2733a579ba4f6ff21f5a733f5ad52068ec7dc54252bbcbf38bdf9bde06_amd64 as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2144ec2733a579ba4f6ff21f5a733f5ad52068ec7dc54252bbcbf38bdf9bde06_amd64"
        },
        "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:2144ec2733a579ba4f6ff21f5a733f5ad52068ec7dc54252bbcbf38bdf9bde06_amd64",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:757895d2dc77ffa86176a5a66b07e4a74306513a3b3bde9d66ba41b8a4cc2961_ppc64le as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:757895d2dc77ffa86176a5a66b07e4a74306513a3b3bde9d66ba41b8a4cc2961_ppc64le"
        },
        "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:757895d2dc77ffa86176a5a66b07e4a74306513a3b3bde9d66ba41b8a4cc2961_ppc64le",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/elasticsearch-rhel8-operator@sha256:c1bb2b5fa69b561e3f65c262059a4784e1ac3d08afc05c1eac109a0b198f65d1_s390x as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:c1bb2b5fa69b561e3f65c262059a4784e1ac3d08afc05c1eac109a0b198f65d1_s390x"
        },
        "product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:c1bb2b5fa69b561e3f65c262059a4784e1ac3d08afc05c1eac109a0b198f65d1_s390x",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/elasticsearch6-rhel8@sha256:0bda3c71be7183afc13247ae55ca2f5b11193a82c8440a883aa73e403b5f77f6_ppc64le as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0bda3c71be7183afc13247ae55ca2f5b11193a82c8440a883aa73e403b5f77f6_ppc64le"
        },
        "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:0bda3c71be7183afc13247ae55ca2f5b11193a82c8440a883aa73e403b5f77f6_ppc64le",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/elasticsearch6-rhel8@sha256:74bc681d8c448a4bdff547b3f8119028e904c64c710fb1b5bb4ee016b13c2fdc_s390x as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:74bc681d8c448a4bdff547b3f8119028e904c64c710fb1b5bb4ee016b13c2fdc_s390x"
        },
        "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:74bc681d8c448a4bdff547b3f8119028e904c64c710fb1b5bb4ee016b13c2fdc_s390x",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/elasticsearch6-rhel8@sha256:fef623d868f3c6f16d39f1853e236e52fbdf48f529b8fec4db21301d4fabecd5_amd64 as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fef623d868f3c6f16d39f1853e236e52fbdf48f529b8fec4db21301d4fabecd5_amd64"
        },
        "product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:fef623d868f3c6f16d39f1853e236e52fbdf48f529b8fec4db21301d4fabecd5_amd64",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/eventrouter-rhel8@sha256:28f20684e4478a2a083039e5554ad364d764d3af9c07529b4c41b1feaed8183c_s390x as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:28f20684e4478a2a083039e5554ad364d764d3af9c07529b4c41b1feaed8183c_s390x"
        },
        "product_reference": "openshift-logging/eventrouter-rhel8@sha256:28f20684e4478a2a083039e5554ad364d764d3af9c07529b4c41b1feaed8183c_s390x",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/eventrouter-rhel8@sha256:604e76ac4d6d562991adb4931b94cf499d9c06453c2f82376736ecae18495658_amd64 as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:604e76ac4d6d562991adb4931b94cf499d9c06453c2f82376736ecae18495658_amd64"
        },
        "product_reference": "openshift-logging/eventrouter-rhel8@sha256:604e76ac4d6d562991adb4931b94cf499d9c06453c2f82376736ecae18495658_amd64",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/eventrouter-rhel8@sha256:cd4cb336303f187cec94043368fd30de9b79932fd29c2909fc08a623e4cc4c51_ppc64le as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cd4cb336303f187cec94043368fd30de9b79932fd29c2909fc08a623e4cc4c51_ppc64le"
        },
        "product_reference": "openshift-logging/eventrouter-rhel8@sha256:cd4cb336303f187cec94043368fd30de9b79932fd29c2909fc08a623e4cc4c51_ppc64le",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/fluentd-rhel8@sha256:ad2c3d7447af955402d903f83790f88d5f6d29cc523b54933c68d80366e5346e_s390x as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:ad2c3d7447af955402d903f83790f88d5f6d29cc523b54933c68d80366e5346e_s390x"
        },
        "product_reference": "openshift-logging/fluentd-rhel8@sha256:ad2c3d7447af955402d903f83790f88d5f6d29cc523b54933c68d80366e5346e_s390x",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/fluentd-rhel8@sha256:cf140d111408ed3cf2b245a6953de7fc1e958a1bfe18c430883fd95a612e4e6f_ppc64le as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:cf140d111408ed3cf2b245a6953de7fc1e958a1bfe18c430883fd95a612e4e6f_ppc64le"
        },
        "product_reference": "openshift-logging/fluentd-rhel8@sha256:cf140d111408ed3cf2b245a6953de7fc1e958a1bfe18c430883fd95a612e4e6f_ppc64le",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/fluentd-rhel8@sha256:dc891c8949a461c01dee41d9fff21a13b7ca9b7521c9be79363549bbf7fd6427_amd64 as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:dc891c8949a461c01dee41d9fff21a13b7ca9b7521c9be79363549bbf7fd6427_amd64"
        },
        "product_reference": "openshift-logging/fluentd-rhel8@sha256:dc891c8949a461c01dee41d9fff21a13b7ca9b7521c9be79363549bbf7fd6427_amd64",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/kibana6-rhel8@sha256:1aac827a9fb85bd9340c887790d9ef3577a77b8105a0f8fcd9897c603354450c_amd64 as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:1aac827a9fb85bd9340c887790d9ef3577a77b8105a0f8fcd9897c603354450c_amd64"
        },
        "product_reference": "openshift-logging/kibana6-rhel8@sha256:1aac827a9fb85bd9340c887790d9ef3577a77b8105a0f8fcd9897c603354450c_amd64",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/kibana6-rhel8@sha256:3cfa1f6fbe2374fe7393003f2bb1f1971d962398f7f4924e05837c54d4cacf06_ppc64le as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:3cfa1f6fbe2374fe7393003f2bb1f1971d962398f7f4924e05837c54d4cacf06_ppc64le"
        },
        "product_reference": "openshift-logging/kibana6-rhel8@sha256:3cfa1f6fbe2374fe7393003f2bb1f1971d962398f7f4924e05837c54d4cacf06_ppc64le",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-logging/kibana6-rhel8@sha256:43e78035965f037c2d03060de332556fd996f91afef969dba80c90981e43ccd7_s390x as a component of OpenShift Logging 5.1",
          "product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:43e78035965f037c2d03060de332556fd996f91afef969dba80c90981e43ccd7_s390x"
        },
        "product_reference": "openshift-logging/kibana6-rhel8@sha256:43e78035965f037c2d03060de332556fd996f91afef969dba80c90981e43ccd7_s390x",
        "relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-45105",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2021-12-19T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:5aed9db163e965f2786e00f5cc27e2ae738a5ea400fde65403def07b56f9b44e_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:49580fc09b09288cd708481e3d2a81e9fdcbd875d23e444a80a54d20165417d1_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:6628f6ce35760597d9ec97f6c5ffaca403728f0aac44f5d5d7d23f2c0a11911f_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ac41da9ee00bb755906009e21df87e586b7565a92f3b716fb99e72d744ef9ffe_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:26cc3b0f2cf973f88251875484958a87c0184a26693385c5801edc0aa87b46ec_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a68b9ed7b19e8289de0efce89bf0253b79703b46e4a0b54b7953202fea6f6513_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:dbd6862307c3a4fc5c5ab67dbafb7be453ba3f1c7e914f2afc25bb817cb24b0e_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:e0116ef235fda9d4a07f10a9c5e8727daba6a9b7fb1b5aaa9ce5d870539ae1fe_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2144ec2733a579ba4f6ff21f5a733f5ad52068ec7dc54252bbcbf38bdf9bde06_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:757895d2dc77ffa86176a5a66b07e4a74306513a3b3bde9d66ba41b8a4cc2961_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:c1bb2b5fa69b561e3f65c262059a4784e1ac3d08afc05c1eac109a0b198f65d1_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:28f20684e4478a2a083039e5554ad364d764d3af9c07529b4c41b1feaed8183c_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:604e76ac4d6d562991adb4931b94cf499d9c06453c2f82376736ecae18495658_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cd4cb336303f187cec94043368fd30de9b79932fd29c2909fc08a623e4cc4c51_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:ad2c3d7447af955402d903f83790f88d5f6d29cc523b54933c68d80366e5346e_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:cf140d111408ed3cf2b245a6953de7fc1e958a1bfe18c430883fd95a612e4e6f_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:dc891c8949a461c01dee41d9fff21a13b7ca9b7521c9be79363549bbf7fd6427_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:1aac827a9fb85bd9340c887790d9ef3577a77b8105a0f8fcd9897c603354450c_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:3cfa1f6fbe2374fe7393003f2bb1f1971d962398f7f4924e05837c54d4cacf06_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:43e78035965f037c2d03060de332556fd996f91afef969dba80c90981e43ccd7_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2034067"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0bda3c71be7183afc13247ae55ca2f5b11193a82c8440a883aa73e403b5f77f6_ppc64le",
          "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:74bc681d8c448a4bdff547b3f8119028e904c64c710fb1b5bb4ee016b13c2fdc_s390x",
          "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fef623d868f3c6f16d39f1853e236e52fbdf48f529b8fec4db21301d4fabecd5_amd64"
        ],
        "known_not_affected": [
          "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:5aed9db163e965f2786e00f5cc27e2ae738a5ea400fde65403def07b56f9b44e_amd64",
          "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:49580fc09b09288cd708481e3d2a81e9fdcbd875d23e444a80a54d20165417d1_s390x",
          "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:6628f6ce35760597d9ec97f6c5ffaca403728f0aac44f5d5d7d23f2c0a11911f_amd64",
          "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ac41da9ee00bb755906009e21df87e586b7565a92f3b716fb99e72d744ef9ffe_ppc64le",
          "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:26cc3b0f2cf973f88251875484958a87c0184a26693385c5801edc0aa87b46ec_amd64",
          "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a68b9ed7b19e8289de0efce89bf0253b79703b46e4a0b54b7953202fea6f6513_s390x",
          "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:dbd6862307c3a4fc5c5ab67dbafb7be453ba3f1c7e914f2afc25bb817cb24b0e_amd64",
          "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:e0116ef235fda9d4a07f10a9c5e8727daba6a9b7fb1b5aaa9ce5d870539ae1fe_ppc64le",
          "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2144ec2733a579ba4f6ff21f5a733f5ad52068ec7dc54252bbcbf38bdf9bde06_amd64",
          "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:757895d2dc77ffa86176a5a66b07e4a74306513a3b3bde9d66ba41b8a4cc2961_ppc64le",
          "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:c1bb2b5fa69b561e3f65c262059a4784e1ac3d08afc05c1eac109a0b198f65d1_s390x",
          "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:28f20684e4478a2a083039e5554ad364d764d3af9c07529b4c41b1feaed8183c_s390x",
          "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:604e76ac4d6d562991adb4931b94cf499d9c06453c2f82376736ecae18495658_amd64",
          "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cd4cb336303f187cec94043368fd30de9b79932fd29c2909fc08a623e4cc4c51_ppc64le",
          "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:ad2c3d7447af955402d903f83790f88d5f6d29cc523b54933c68d80366e5346e_s390x",
          "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:cf140d111408ed3cf2b245a6953de7fc1e958a1bfe18c430883fd95a612e4e6f_ppc64le",
          "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:dc891c8949a461c01dee41d9fff21a13b7ca9b7521c9be79363549bbf7fd6427_amd64",
          "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:1aac827a9fb85bd9340c887790d9ef3577a77b8105a0f8fcd9897c603354450c_amd64",
          "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:3cfa1f6fbe2374fe7393003f2bb1f1971d962398f7f4924e05837c54d4cacf06_ppc64le",
          "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:43e78035965f037c2d03060de332556fd996f91afef969dba80c90981e43ccd7_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-45105"
        },
        {
          "category": "external",
          "summary": "RHBZ#2034067",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105"
        },
        {
          "category": "external",
          "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230",
          "url": "https://issues.apache.org/jira/browse/LOG4J2-3230"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/log4j/2.x/security.html",
          "url": "https://logging.apache.org/log4j/2.x/security.html"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1",
          "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1"
        }
      ],
      "release_date": "2021-12-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-01-10T06:37:56+00:00",
          "details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html",
          "product_ids": [
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0bda3c71be7183afc13247ae55ca2f5b11193a82c8440a883aa73e403b5f77f6_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:74bc681d8c448a4bdff547b3f8119028e904c64c710fb1b5bb4ee016b13c2fdc_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fef623d868f3c6f16d39f1853e236e52fbdf48f529b8fec4db21301d4fabecd5_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:0042"
        },
        {
          "category": "workaround",
          "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.",
          "product_ids": [
            "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:5aed9db163e965f2786e00f5cc27e2ae738a5ea400fde65403def07b56f9b44e_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:49580fc09b09288cd708481e3d2a81e9fdcbd875d23e444a80a54d20165417d1_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:6628f6ce35760597d9ec97f6c5ffaca403728f0aac44f5d5d7d23f2c0a11911f_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:ac41da9ee00bb755906009e21df87e586b7565a92f3b716fb99e72d744ef9ffe_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:26cc3b0f2cf973f88251875484958a87c0184a26693385c5801edc0aa87b46ec_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:a68b9ed7b19e8289de0efce89bf0253b79703b46e4a0b54b7953202fea6f6513_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:dbd6862307c3a4fc5c5ab67dbafb7be453ba3f1c7e914f2afc25bb817cb24b0e_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:e0116ef235fda9d4a07f10a9c5e8727daba6a9b7fb1b5aaa9ce5d870539ae1fe_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2144ec2733a579ba4f6ff21f5a733f5ad52068ec7dc54252bbcbf38bdf9bde06_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:757895d2dc77ffa86176a5a66b07e4a74306513a3b3bde9d66ba41b8a4cc2961_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:c1bb2b5fa69b561e3f65c262059a4784e1ac3d08afc05c1eac109a0b198f65d1_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0bda3c71be7183afc13247ae55ca2f5b11193a82c8440a883aa73e403b5f77f6_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:74bc681d8c448a4bdff547b3f8119028e904c64c710fb1b5bb4ee016b13c2fdc_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fef623d868f3c6f16d39f1853e236e52fbdf48f529b8fec4db21301d4fabecd5_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:28f20684e4478a2a083039e5554ad364d764d3af9c07529b4c41b1feaed8183c_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:604e76ac4d6d562991adb4931b94cf499d9c06453c2f82376736ecae18495658_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cd4cb336303f187cec94043368fd30de9b79932fd29c2909fc08a623e4cc4c51_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:ad2c3d7447af955402d903f83790f88d5f6d29cc523b54933c68d80366e5346e_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:cf140d111408ed3cf2b245a6953de7fc1e958a1bfe18c430883fd95a612e4e6f_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:dc891c8949a461c01dee41d9fff21a13b7ca9b7521c9be79363549bbf7fd6427_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:1aac827a9fb85bd9340c887790d9ef3577a77b8105a0f8fcd9897c603354450c_amd64",
            "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:3cfa1f6fbe2374fe7393003f2bb1f1971d962398f7f4924e05837c54d4cacf06_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:43e78035965f037c2d03060de332556fd996f91afef969dba80c90981e43ccd7_s390x"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:0bda3c71be7183afc13247ae55ca2f5b11193a82c8440a883aa73e403b5f77f6_ppc64le",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:74bc681d8c448a4bdff547b3f8119028e904c64c710fb1b5bb4ee016b13c2fdc_s390x",
            "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fef623d868f3c6f16d39f1853e236e52fbdf48f529b8fec4db21301d4fabecd5_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern"
    }
  ]
}

cve-2021-45105

Vulnerability from cvelistv5

Published

2021-12-18 11:55

Modified

2024-08-04 04:39

Severity ?

Summary

Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

References

▼	URL	Tags
	https://logging.apache.org/log4j/2.x/security.html	x_refsource_MISC
	https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032	x_refsource_CONFIRM
	https://www.kb.cert.org/vuls/id/930724	third-party-advisory, x_refsource_CERT-VN
	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd	vendor-advisory, x_refsource_CISCO
	http://www.openwall.com/lists/oss-security/2021/12/19/1	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2021/dsa-5024	vendor-advisory, x_refsource_DEBIAN
	https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20211218-0001/	x_refsource_CONFIRM
	https://www.zerodayinitiative.com/advisories/ZDI-21-1541/	x_refsource_MISC
	https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

▼	Vendor	Product
	Apache Software Foundation	Apache Log4j2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:39:20.295Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://logging.apache.org/log4j/2.x/security.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
          },
          {
            "name": "VU#930724",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/930724"
          },
          {
            "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
          },
          {
            "name": "[oss-security] 20211218 CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/19/1"
          },
          {
            "name": "DSA-5024",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-5024"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211218-0001/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Log4j2",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.13.0",
                  "status": "affected"
                },
                {
                  "at": "2.12.3",
                  "status": "unaffected"
                },
                {
                  "at": "2.4",
                  "status": "affected"
                },
                {
                  "at": "2.3.1",
                  "status": "unaffected"
                },
                {
                  "at": "2.0-alpha1",
                  "status": "affected"
                }
              ],
              "lessThan": "2.17.0",
              "status": "affected",
              "version": "log4j-core",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro\u2019s Zero Day Initiative, and another anonymous vulnerability researcher"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "high"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:41:57",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://logging.apache.org/log4j/2.x/security.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
        },
        {
          "name": "VU#930724",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://www.kb.cert.org/vuls/id/930724"
        },
        {
          "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
        },
        {
          "name": "[oss-security] 20211218 CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/19/1"
        },
        {
          "name": "DSA-5024",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-5024"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20211218-0001/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "defect": [
          "LOG4J2-3230"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Apache Log4j2 does not always protect from infinite recursion in lookup evaluation",
      "workarounds": [
        {
          "lang": "en",
          "value": "Implement one of the following mitigation techniques:\n\n* Java 8 (or later) users should upgrade to release 2.17.0.\n\nAlternatively, this can be mitigated in configuration:\n\n* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC).\n* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate \nfrom sources external to the application such as HTTP headers or user input."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-45105",
          "STATE": "PUBLIC",
          "TITLE": "Apache Log4j2 does not always protect from infinite recursion in lookup evaluation"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Log4j2",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "log4j-core",
                            "version_value": "2.17.0"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "log4j-core",
                            "version_value": "2.13.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "log4j-core",
                            "version_value": "2.12.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "log4j-core",
                            "version_value": "2.4"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "log4j-core",
                            "version_value": "2.3.1"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "log4j-core",
                            "version_value": "2.0-alpha1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro\u2019s Zero Day Initiative, and another anonymous vulnerability researcher"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "high"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-674: Uncontrolled Recursion"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://logging.apache.org/log4j/2.x/security.html",
              "refsource": "MISC",
              "url": "https://logging.apache.org/log4j/2.x/security.html"
            },
            {
              "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032",
              "refsource": "CONFIRM",
              "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"
            },
            {
              "name": "VU#930724",
              "refsource": "CERT-VN",
              "url": "https://www.kb.cert.org/vuls/id/930724"
            },
            {
              "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
            },
            {
              "name": "[oss-security] 20211218 CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/12/19/1"
            },
            {
              "name": "DSA-5024",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-5024"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20211218-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20211218-0001/"
            },
            {
              "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-1541/",
              "refsource": "MISC",
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "defect": [
            "LOG4J2-3230"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Implement one of the following mitigation techniques:\n\n* Java 8 (or later) users should upgrade to release 2.17.0.\n\nAlternatively, this can be mitigated in configuration:\n\n* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC).\n* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate \nfrom sources external to the application such as HTTP headers or user input."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-45105",
    "datePublished": "2021-12-18T11:55:08",
    "dateReserved": "2021-12-16T00:00:00",
    "dateUpdated": "2024-08-04T04:39:20.295Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted