log4j-1.2.14-6.4.0.1.AXS4

エラータID: AXSA:2021-2880:02

Release date: 
Monday, December 27, 2021 - 17:07
Subject: 
log4j-1.2.14-6.4.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
Moderate
Description: 

Log4j is a tool to help the programmer output log statements to a variety of
output targets.

Security Fix(es):

* log4j: Remote code execution in Log4j 1.x when application is configured to
use JMSAppender (CVE-2021-4104)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when
the attacker has write access to the Log4j configuration. The attacker can
provide TopicBindingName and TopicConnectionFactoryBindingName configurations
causing JMSAppender to perform JNDI requests that result in remote code
execution in a similar fashion to CVE-2021-44228. Note this issue only affects
Log4j 1.2 when specifically configured to use JMSAppender, which is not the
default. Apache Log4j 1.2 reached end of life in August 2015. Users should
upgrade to Log4j 2 as it addresses numerous other issues from the previous
versions.

Solution: 

Update packages.

CVEs: 
CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Additional Info: 

N/A

Download: 

SRPMS
  1. log4j-1.2.14-6.4.0.1.AXS4.src.rpm
    MD5: b2df6d665b411f950284a029b949019f
    SHA-256: eb3dee278620bf49fe81e8eda0159711b136f65d1205c1707c5ce03c77ceca86
    Size: 2.66 MB

Asianux Server 4 for x86
  1. log4j-1.2.14-6.4.0.1.AXS4.i686.rpm
    MD5: 5654862aadda2cbfce16b123c09af445
    SHA-256: 63e4b570b324f13bbba75d6d2ccc94955b34d1aed4d6d9eeb5c6b742f0eea436
    Size: 603.89 kB

Asianux Server 4 for x86_64
  1. log4j-1.2.14-6.4.0.1.AXS4.x86_64.rpm
    MD5: c2f71af8ef19e70ba08312dcd6e88038
    SHA-256: b01c2b797a4dadce200aefc8db94226000e432eff0e2ce55ed39b0d886b369c4
    Size: 678.56 kB