parfait:0.5 security update
エラータID: AXSA:2022-3020:01
リリース日:
2022/01/27 Thursday - 05:23
題名:
parfait:0.5 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Log4j の JMSAppender には、信頼されないデータのデシリアライズに問題
があり、攻撃者が Log4j の設定で書き込み権限を持っている場合、
TopicBindingName と TopicConnectionFactoryBindingName を設定し、
JMSAppender に JNDI リクエストを実行させることで、リモートからのコード
実行が可能な脆弱性があります。(CVE-2021-4104)
- Log4j 1.x の JMSSink には、攻撃者が Log4j の設定、もしくはその設定が
攻撃者が書き込み権限を持っている LDAP サーバーを参照しているとき、信頼
できないデータのデシリアライズに問題があり、攻撃者によって
TopicConnectionFactoryBindingName を通じて JMSSink に JNDI リクエスト
を実行させ、CVE-2021-4104 と同様にリモートからコードが実行される脆弱性
があります。(CVE-2022-23302)
- Log4j の JDBCAppender は PatternLayout からのコンバーターが挿入され
る値となる SQL 文を設定パラメーターとして受け入れる仕様だが、メッセー
ジコンバーター "%m" は常に含まれる可能性があるため、攻撃者はアプリケー
ションの入力フィールドやヘッダーに巧妙に細工された文字列を入力すること
によってSQLを操作することができ、意図しない SQL クエリーが実行させられ
る脆弱性があります。(CVE-2022-23305)
- Log4j のコンポーネントである Chainsaw には CVE-2020-9493 で指摘され
ているように、デシリアライゼーションの問題があり、悪意のあるコードが実
行される脆弱性があります。(CVE-2022-23307)
Modularity name: parfait
Stream name: 0.5
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE-2022-23302
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE-2022-23305
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE-2022-23307
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
追加情報:
N/A
ダウンロード:
SRPMS
- parfait-0.5.4-4.module+el8+1388+1461ecb0.src.rpm
MD5: 68eee10f6b8f8fb64a1d3bbc22f26355
SHA-256: aab300b9d5450c5d8f1b76121309c29c6b660aaefac5742fbcd9fc2b0adacd6e
Size: 657.48 kB - si-units-0.6.5-2.module+el8+1388+1461ecb0.src.rpm
MD5: 622c9afa18519c69d69278b42df86865
SHA-256: 21e73c1adea9a42dc4a4a513516d92f489db392ab2ccb1eac71496646d34044c
Size: 46.79 kB - unit-api-1.0-5.module+el8+1388+1461ecb0.src.rpm
MD5: 3c272decf8aafe74ca34e0aaa143870b
SHA-256: 403936a328f1a42b72fb4a5d41770b25c634c0ba5f9387b944db8a9b6e4eb5ce
Size: 86.34 kB - uom-lib-1.0.1-6.module+el8+1388+1461ecb0.src.rpm
MD5: 778c671f1a6c8e91f3b16adcc8c23c3c
SHA-256: ad32bfd5b3e030cac872f14ca1f1c9ac8739b2b3f23e1694bf7e65b278ee8d46
Size: 17.71 kB - uom-parent-1.0.3-3.module+el8+1388+1461ecb0.src.rpm
MD5: 023e1c09e9cf94c6a20c690012655522
SHA-256: 9a4afbcd222d7031aa20d19f993823d5b30a447375cba14c896488c4c3df572e
Size: 12.59 kB - uom-se-1.0.4-3.module+el8+1388+1461ecb0.src.rpm
MD5: ff6c6ae774a8d7b4b10cbe78a67efec1
SHA-256: 0d5544f5ef1384a5d88243add269498a8adde194c224ce1993c513ebe2c31de6
Size: 132.21 kB - uom-systems-0.7-1.module+el8+1388+1461ecb0.src.rpm
MD5: 81c5cd22699d89e6627a902e20120677
SHA-256: 715292c2075391ff23995d22b7d7c90b088fce246e0bd0ffa9ec9339fe4c2d7e
Size: 184.82 kB
Asianux Server 8 for x86_64
- parfait-0.5.4-4.module+el8+1388+1461ecb0.noarch.rpm
MD5: af88e9c2f40d226a72b62ace8ac1a0d5
SHA-256: f1dcb87977e1aca145f94d4d64ab8c258fb6a68d7314146f2ab053253648658c
Size: 202.17 kB - parfait-examples-0.5.4-4.module+el8+1388+1461ecb0.noarch.rpm
MD5: 08c193adaa24fe872365249b250050e8
SHA-256: 5635d17e2877093809899bb24517425a9583c99195e00fe96b2a5e71f05ba708
Size: 10.48 MB - parfait-javadoc-0.5.4-4.module+el8+1388+1461ecb0.noarch.rpm
MD5: d772e462065158cde33ccc65a408bced
SHA-256: 1981dc69775a7cfb61d952e5016391855bfc57bf5fc6996595de617a1c0af54c
Size: 221.00 kB - pcp-parfait-agent-0.5.4-4.module+el8+1388+1461ecb0.noarch.rpm
MD5: 095b4327dbc89d843a3f83e2aa5aceee
SHA-256: 079b2dac955e000138ba4518874c1a2a1773698ec2bc639028aa9bd94cd57662
Size: 4.50 MB - si-units-0.6.5-2.module+el8+1388+1461ecb0.noarch.rpm
MD5: a4b0c67bc76f458095dc2399630d2c7a
SHA-256: 8d851ad3d99fd7b152c7da3e8640db8a496de4ed68c998a805acc690f25035ac
Size: 30.32 kB - si-units-javadoc-0.6.5-2.module+el8+1388+1461ecb0.noarch.rpm
MD5: 37573d8e803609227002f3dd4d15174c
SHA-256: 668703f7c5be4abe6359a85ed1dc812c1920fc45bab0678471da61cb43111beb
Size: 56.15 kB - unit-api-1.0-5.module+el8+1388+1461ecb0.noarch.rpm
MD5: fd433578091165c029d6673fbbd64b33
SHA-256: bd2a3920feff2968b0f6993d9abedae10922d5a636a43fa390e1f9e934a6ad5c
Size: 28.37 kB - unit-api-javadoc-1.0-5.module+el8+1388+1461ecb0.noarch.rpm
MD5: 5e132e07bd1b34cab22b73aeba6bb33a
SHA-256: 90a07cfac21bf5b8ba6b9b57a2bae9e1cf1bc37cea4aae7a1fab96cdfc6c1e9e
Size: 72.09 kB - uom-lib-1.0.1-6.module+el8+1388+1461ecb0.noarch.rpm
MD5: 935e59e6cfdd866334106113996adc8f
SHA-256: d5caff935c6078d362d94cbe67a1ccc7523697bfaee98baeb701e5ffbc967b46
Size: 18.59 kB - uom-lib-javadoc-1.0.1-6.module+el8+1388+1461ecb0.noarch.rpm
MD5: f7bfa689c476cb88cd5979d5a770b18f
SHA-256: df8bad2099e10fea75315b7f04da3f75d6351d27cf247d4682293bb1fb04957f
Size: 37.39 kB - uom-parent-1.0.3-3.module+el8+1388+1461ecb0.noarch.rpm
MD5: d501a1baf1496181f508358bfe0b8ef4
SHA-256: 94e27b26e795439b4ab89e00ff21f6c786f3dad79c1aa3c1f03830a498d6e004
Size: 12.84 kB - uom-se-1.0.4-3.module+el8+1388+1461ecb0.noarch.rpm
MD5: 8013ab2c362c89b257a51e3c22c46487
SHA-256: 99431cb6074b39edd662c9d624a588e521cdec3440d8b618260307d58178c67b
Size: 202.55 kB - uom-se-javadoc-1.0.4-3.module+el8+1388+1461ecb0.noarch.rpm
MD5: 795988bb530685d48a5acf0f655911d2
SHA-256: d58a04a90b2dd828c462842b4437e4c820927f0d1545ee2afacb43be39a341ae
Size: 214.21 kB - uom-systems-0.7-1.module+el8+1388+1461ecb0.noarch.rpm
MD5: 762f2847301d3e1c8c73f6c247ef4115
SHA-256: ccb0cb815275eb059b2dd07526d80bf93a2402417cef27e34c39da3344efa7d6
Size: 116.82 kB - uom-systems-javadoc-0.7-1.module+el8+1388+1461ecb0.noarch.rpm
MD5: 521b751a0c0f99f7d2ff693c15f9b189
SHA-256: 746b418f3ed456d926ca52f9a301d640cedde4286b81ac8b6a1feed527dca868
Size: 120.91 kB
English