openEuler update for log4j,jboss-logging,jgroups,json-lib,metrics,mx4j,netty,springframework,thrift,HikariCP,avalon-framework,avalon-logkit,datanucleus-api-jdo,datanucleus-core,datanucleus-rdbms,infinispan,wildfly-core,apache-zookeeper

Published: 2021-12-17 | Updated: 2024-10-25

Risk	Critical
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2021-45046 CVE-2021-44228
CWE-ID	CWE-94
Exploitation vector	Network
Public exploit	Vulnerability #1 is being exploited in the wild. Vulnerability #2 is being exploited in the wild.
Vulnerable software	openEuler Operating systems & Components / Operating system wildfly-core-javadoc Operating systems & Components / Operating system package or component wildfly-core-feature-pack Operating systems & Components / Operating system package or component infinispan-help Operating systems & Components / Operating system package or component datanucleus-rdbms-javadoc Operating systems & Components / Operating system package or component datanucleus-core-javadoc Operating systems & Components / Operating system package or component datanucleus-api-jdo-javadoc Operating systems & Components / Operating system package or component avalon-logkit-help Operating systems & Components / Operating system package or component avalon-framework-help Operating systems & Components / Operating system package or component HikariCP-help Operating systems & Components / Operating system package or component thrift-qt Operating systems & Components / Operating system package or component thrift-glib Operating systems & Components / Operating system package or component thrift-devel Operating systems & Components / Operating system package or component thrift-debugsource Operating systems & Components / Operating system package or component python3-thrift Operating systems & Components / Operating system package or component perl-thrift Operating systems & Components / Operating system package or component libthrift-java Operating systems & Components / Operating system package or component springframework-web Operating systems & Components / Operating system package or component springframework-tx Operating systems & Components / Operating system package or component springframework-oxm Operating systems & Components / Operating system package or component springframework-orm-hibernate4 Operating systems & Components / Operating system package or component springframework-orm Operating systems & Components / Operating system package or component springframework-jms Operating systems & Components / Operating system package or component springframework-jdbc Operating systems & Components / Operating system package or component springframework-instrument Operating systems & Components / Operating system package or component springframework-help Operating systems & Components / Operating system package or component springframework-expression Operating systems & Components / Operating system package or component springframework-context Operating systems & Components / Operating system package or component springframework-beans Operating systems & Components / Operating system package or component springframework-aop Operating systems & Components / Operating system package or component netty-help Operating systems & Components / Operating system package or component mx4j-manual Operating systems & Components / Operating system package or component mx4j-javadoc Operating systems & Components / Operating system package or component metrics-servlets Operating systems & Components / Operating system package or component metrics-servlet Operating systems & Components / Operating system package or component metrics-parent Operating systems & Components / Operating system package or component metrics-logback Operating systems & Components / Operating system package or component metrics-log4j2 Operating systems & Components / Operating system package or component metrics-log4j Operating systems & Components / Operating system package or component metrics-jvm Operating systems & Components / Operating system package or component metrics-json Operating systems & Components / Operating system package or component metrics-jersey2 Operating systems & Components / Operating system package or component metrics-jdbi Operating systems & Components / Operating system package or component metrics-javadoc Operating systems & Components / Operating system package or component metrics-httpclient Operating systems & Components / Operating system package or component metrics-httpasyncclient Operating systems & Components / Operating system package or component metrics-healthchecks Operating systems & Components / Operating system package or component metrics-graphite Operating systems & Components / Operating system package or component metrics-ganglia Operating systems & Components / Operating system package or component metrics-ehcache Operating systems & Components / Operating system package or component metrics-doc Operating systems & Components / Operating system package or component metrics-benchmarks Operating systems & Components / Operating system package or component metrics-annotation Operating systems & Components / Operating system package or component json-lib-help Operating systems & Components / Operating system package or component jenkins-json-lib Operating systems & Components / Operating system package or component jgroups-help Operating systems & Components / Operating system package or component jboss-logging-javadoc Operating systems & Components / Operating system package or component jboss-logging Operating systems & Components / Operating system package or component log4j-bom Operating systems & Components / Operating system package or component log4j-jmx-gui Operating systems & Components / Operating system package or component log4j-web Operating systems & Components / Operating system package or component log4j-jcl Operating systems & Components / Operating system package or component log4j-taglib Operating systems & Components / Operating system package or component log4j-help Operating systems & Components / Operating system package or component log4j-nosql Operating systems & Components / Operating system package or component log4j-slf4j Operating systems & Components / Operating system package or component apache-zookeeper Operating systems & Components / Operating system package or component wildfly-core Operating systems & Components / Operating system package or component infinispan Operating systems & Components / Operating system package or component datanucleus-rdbms Operating systems & Components / Operating system package or component datanucleus-core Operating systems & Components / Operating system package or component datanucleus-api-jdo Operating systems & Components / Operating system package or component avalon-logkit Operating systems & Components / Operating system package or component avalon-framework Operating systems & Components / Operating system package or component HikariCP Operating systems & Components / Operating system package or component thrift Operating systems & Components / Operating system package or component springframework Operating systems & Components / Operating system package or component netty Operating systems & Components / Operating system package or component mx4j Operating systems & Components / Operating system package or component metrics Operating systems & Components / Operating system package or component json-lib Operating systems & Components / Operating system package or component jgroups Operating systems & Components / Operating system package or component log4j Operating systems & Components / Operating system package or component
Vendor	openEuler

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Code Injection

EUVDB-ID: #VU58976

Risk: High

CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2021-45046

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incomplete patch in Apache Log4j 2.15.0 for a code injection vulnerability #VU58816 (CVE-2021-44228) in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) can pass malicious data using a JNDI Lookup pattern and perform a denial of service (DoS) attack, exfiltrate data or execute arbitrary code.

Later discovery demonstrates a remote code execution on macOS but no other tested environments.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

wildfly-core-javadoc: before 2.2.0-2

wildfly-core-feature-pack: before 2.2.0-2

infinispan-help: before 8.2.4-9

datanucleus-rdbms-javadoc: before 3.2.13-2

datanucleus-core-javadoc: before 3.2.15-2

datanucleus-api-jdo-javadoc: before 3.2.8-2

avalon-logkit-help: before 2.1-33

avalon-framework-help: before 4.3-23

HikariCP-help: before 2.4.3-5

thrift-qt: before 0.14.0-4

thrift-glib: before 0.14.0-4

thrift-devel: before 0.14.0-4

thrift-debugsource: before 0.14.0-4

python3-thrift: before 0.14.0-4

perl-thrift: before 0.14.0-4

libthrift-java: before 0.14.0-4

springframework-web: before 3.2.18-9

springframework-tx: before 3.2.18-9

springframework-oxm: before 3.2.18-9

springframework-orm-hibernate4: before 3.2.18-9

springframework-orm: before 3.2.18-9

springframework-jms: before 3.2.18-9

springframework-jdbc: before 3.2.18-9

springframework-instrument: before 3.2.18-9

springframework-help: before 3.2.18-9

springframework-expression: before 3.2.18-9

springframework-context: before 3.2.18-9

springframework-beans: before 3.2.18-9

springframework-aop: before 3.2.18-9

netty-help: before 4.1.13-14

mx4j-manual: before 3.0.1-2

mx4j-javadoc: before 3.0.1-2

metrics-servlets: before 3.1.2-2

metrics-servlet: before 3.1.2-2

metrics-parent: before 3.1.2-2

metrics-logback: before 3.1.2-2

metrics-log4j2: before 3.1.2-2

metrics-log4j: before 3.1.2-2

metrics-jvm: before 3.1.2-2

metrics-json: before 3.1.2-2

metrics-jersey2: before 3.1.2-2

metrics-jdbi: before 3.1.2-2

metrics-javadoc: before 3.1.2-2

metrics-httpclient: before 3.1.2-2

metrics-httpasyncclient: before 3.1.2-2

metrics-healthchecks: before 3.1.2-2

metrics-graphite: before 3.1.2-2

metrics-ganglia: before 3.1.2-2

metrics-ehcache: before 3.1.2-2

metrics-doc: before 3.1.2-2

metrics-benchmarks: before 3.1.2-2

metrics-annotation: before 3.1.2-2

json-lib-help: before 2.4-18

jenkins-json-lib: before 2.4-18

jgroups-help: before 3.6.10-7

jboss-logging-javadoc: before 3.3.0-6

jboss-logging: before 3.3.0-6

log4j-bom: before 2.13.2-3

log4j-jmx-gui: before 2.13.2-3

log4j-web: before 2.13.2-3

log4j-jcl: before 2.13.2-3

log4j-taglib: before 2.13.2-3

log4j-help: before 2.13.2-3

log4j-nosql: before 2.13.2-3

log4j-slf4j: before 2.13.2-3

apache-zookeeper: before 3.6.1-2.3

wildfly-core: before 2.2.0-2

infinispan: before 8.2.4-9

datanucleus-rdbms: before 3.2.13-2

datanucleus-core: before 3.2.15-2

datanucleus-api-jdo: before 3.2.8-2

avalon-logkit: before 2.1-33

avalon-framework: before 4.3-23

HikariCP: before 2.4.3-5

thrift: before 0.14.0-4

springframework: before 3.2.18-9

netty: before 4.1.13-14

mx4j: before 3.0.1-2

metrics: before 3.1.2-2

json-lib: before 2.4-18

jgroups: before 3.6.10-7

log4j: before 2.13.2-3

CPE2.3

External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1467

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

2) Code Injection

EUVDB-ID: #VU58816

Risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2021-44228