log4j-1.2.17-17.0.1.el7.AXS7

エラータID: AXSA:2021-2848:01

Release date: 
Wednesday, December 22, 2021 - 11:52
Subject: 
log4j-1.2.17-17.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Log4j is a tool to help the programmer output log statements to a variety of
output targets.

Security Fix(es):

* log4j: Remote code execution in Log4j 1.x when application is configured to
use JMSAppender (CVE-2021-4104)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when
the attacker has write access to the Log4j configuration. The attacker can
provide TopicBindingName and TopicConnectionFactoryBindingName configurations
causing JMSAppender to perform JNDI requests that result in remote code
execution in a similar fashion to CVE-2021-44228. Note this issue only affects
Log4j 1.2 when specifically configured to use JMSAppender, which is not the
default. Apache Log4j 1.2 reached end of life in August 2015. Users should
upgrade to Log4j 2 as it addresses numerous other issues from the previous
versions.

Solution: 

Update packages.

CVEs: 
CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Additional Info: 

N/A

Download: 

SRPMS
  1. log4j-1.2.17-17.0.1.el7.AXS7.src.rpm
    MD5: c68bcd11a08931f1613eee76d1005ec2
    SHA-256: d000125009c9860ad51f181a4fb16f80093e4886151c3353590d47354bfce097
    Size: 2.74 MB

Asianux Server 7 for x86_64
  1. log4j-1.2.17-17.0.1.el7.AXS7.noarch.rpm
    MD5: 110d84876c6603875492d53ce50e2499
    SHA-256: 458662831d0e105bb57fba2b34018486d77fc8c9403958da1b2629fbb9210643
    Size: 443.51 kB