===================================================================                            CERT-Renater

                  Note d'Information No. 2021/VULN652
_____________________________________________________________________

DATE                : 15/12/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running log4j-api (maven) versions prior
                                     to 2.16.0.

====================================================================https://github.com/advisories/GHSA-7rjr-3q55-vv33
_____________________________________________________________________


Incomplete fix for Apache Log4j vulnerability
moderate severity  GitHub Reviewed  Published Dec 14, 2021 •
Updated Dec 16, 2021


Vulnerability details

Package
org.apache.logging.log4j:log4j-api (maven)

Affected versions
< 2.16.0

Patched versions
2.16.0

Package
org.apache.logging.log4j:log4j-core (maven)

Affected versions
< 2.16.0

Patched versions
2.16.0


Description

Impact

The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete
in certain non-default configurations. This could allow attackers with
control over Thread Context Map (MDC) input data when the logging
configuration uses a non-default Pattern Layout with either a Context
Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern
(%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup
pattern resulting in a denial of service (DOS) attack.


Mitigation

Log4j 2.16.0 fixes this issue by removing support for message lookup
patterns and disabling JNDI functionality by default. This issue can be
mitigated in prior releases (< 2.16.0) by removing the JndiLookup class
from the classpath (example: zip -q -d log4j-core-*.jar org/apache
/logging/log4j/core/lookup/JndiLookup.class).

Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note
that previous mitigations involving configuration such as to set the
system property log4j2.formatMsgNoLookups to true do NOT mitigate this
specific vulnerability.


References

     https://nvd.nist.gov/vuln/detail/CVE-2021-45046
     GHSA-jfh8-c2jp-5v3q
     https://logging.apache.org/log4j/2.x/security.html
     https://www.openwall.com/lists/oss-security/2021/12/14/4
     https://www.cve.org/CVERecord?id=CVE-2021-44228
     http://www.openwall.com/lists/oss-security/2021/12/14/4

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
     http://www.openwall.com/lists/oss-security/2021/12/15/3


CVE ID
CVE-2021-45046


CWEs
CWE-502


========================================================+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=======================================================