openEuler update for log4j,mybatis,netty,springframework,wildfly-security-manager,wildfly-elytron,wildfly-build-tools,wildfly-common,wildfly-core,thrift,json-lib,datanucleus-core,jgroups,mx4j,jboss-logging,infinispan,datanucleus-rdbms,avalon-logkit,datanu
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-44832 |
| CWE-ID | CWE-94 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
openEuler Operating systems & Components / Operating system metrics-servlets Operating systems & Components / Operating system package or component metrics-servlet Operating systems & Components / Operating system package or component metrics-parent Operating systems & Components / Operating system package or component metrics-logback Operating systems & Components / Operating system package or component metrics-log4j2 Operating systems & Components / Operating system package or component metrics-log4j Operating systems & Components / Operating system package or component metrics-jvm Operating systems & Components / Operating system package or component metrics-json Operating systems & Components / Operating system package or component metrics-jersey2 Operating systems & Components / Operating system package or component metrics-jdbi Operating systems & Components / Operating system package or component metrics-javadoc Operating systems & Components / Operating system package or component metrics-httpclient Operating systems & Components / Operating system package or component metrics-httpasyncclient Operating systems & Components / Operating system package or component metrics-healthchecks Operating systems & Components / Operating system package or component metrics-graphite Operating systems & Components / Operating system package or component metrics-ganglia Operating systems & Components / Operating system package or component metrics-ehcache Operating systems & Components / Operating system package or component metrics-doc Operating systems & Components / Operating system package or component metrics-benchmarks Operating systems & Components / Operating system package or component metrics-annotation Operating systems & Components / Operating system package or component HikariCP-help Operating systems & Components / Operating system package or component datanucleus-api-jdo-javadoc Operating systems & Components / Operating system package or component avalon-logkit-help Operating systems & Components / Operating system package or component infinispan-help Operating systems & Components / Operating system package or component jboss-logging-javadoc Operating systems & Components / Operating system package or component jboss-logging Operating systems & Components / Operating system package or component mx4j-manual Operating systems & Components / Operating system package or component mx4j-javadoc Operating systems & Components / Operating system package or component jgroups-help Operating systems & Components / Operating system package or component datanucleus-core-javadoc Operating systems & Components / Operating system package or component datanucleus-api-jdo Operating systems & Components / Operating system package or component json-lib-help Operating systems & Components / Operating system package or component jenkins-json-lib Operating systems & Components / Operating system package or component thrift-qt Operating systems & Components / Operating system package or component thrift-glib Operating systems & Components / Operating system package or component thrift-devel Operating systems & Components / Operating system package or component thrift-debugsource Operating systems & Components / Operating system package or component python3-thrift Operating systems & Components / Operating system package or component perl-thrift Operating systems & Components / Operating system package or component libthrift-java Operating systems & Components / Operating system package or component wildfly-core-javadoc Operating systems & Components / Operating system package or component wildfly-core-feature-pack Operating systems & Components / Operating system package or component wildfly-common-help Operating systems & Components / Operating system package or component wildfly-server-provisioning-standalone Operating systems & Components / Operating system package or component wildfly-server-provisioning-maven-plugin Operating systems & Components / Operating system package or component wildfly-server-provisioning Operating systems & Components / Operating system package or component wildfly-feature-pack-build-maven-plugin Operating systems & Components / Operating system package or component wildfly-build-tools-javadoc Operating systems & Components / Operating system package or component wildfly-elytron-javadoc Operating systems & Components / Operating system package or component wildfly-security-manager-javadoc Operating systems & Components / Operating system package or component springframework-web Operating systems & Components / Operating system package or component springframework-tx Operating systems & Components / Operating system package or component springframework-oxm Operating systems & Components / Operating system package or component springframework-orm-hibernate4 Operating systems & Components / Operating system package or component springframework-orm Operating systems & Components / Operating system package or component springframework-jms Operating systems & Components / Operating system package or component springframework-jdbc Operating systems & Components / Operating system package or component springframework-instrument Operating systems & Components / Operating system package or component springframework-help Operating systems & Components / Operating system package or component springframework-expression Operating systems & Components / Operating system package or component springframework-context Operating systems & Components / Operating system package or component springframework-beans Operating systems & Components / Operating system package or component springframework-aop Operating systems & Components / Operating system package or component netty-help Operating systems & Components / Operating system package or component mybatis-javadoc Operating systems & Components / Operating system package or component log4j-bom Operating systems & Components / Operating system package or component log4j-jcl Operating systems & Components / Operating system package or component log4j-jmx-gui Operating systems & Components / Operating system package or component log4j-web Operating systems & Components / Operating system package or component log4j-slf4j Operating systems & Components / Operating system package or component log4j-taglib Operating systems & Components / Operating system package or component log4j-help Operating systems & Components / Operating system package or component avalon-framework Operating systems & Components / Operating system package or component metrics Operating systems & Components / Operating system package or component HikariCP Operating systems & Components / Operating system package or component avalon-logkit Operating systems & Components / Operating system package or component infinispan Operating systems & Components / Operating system package or component mx4j Operating systems & Components / Operating system package or component jgroups Operating systems & Components / Operating system package or component datanucleus-core Operating systems & Components / Operating system package or component json-lib Operating systems & Components / Operating system package or component thrift Operating systems & Components / Operating system package or component wildfly-core Operating systems & Components / Operating system package or component wildfly-common Operating systems & Components / Operating system package or component wildfly-build-tools Operating systems & Components / Operating system package or component wildfly-elytron Operating systems & Components / Operating system package or component wildfly-security-manager Operating systems & Components / Operating system package or component netty Operating systems & Components / Operating system package or component springframework Operating systems & Components / Operating system package or component mybatis Operating systems & Components / Operating system package or component log4j Operating systems & Components / Operating system package or component avalon-framework-help Operating systems & Components / Operating system package or component datanucleus-rdbms-javadoc Operating systems & Components / Operating system package or component datanucleus-rdbms Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Code Injection
EUVDB-ID: #VU59098
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-44832
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote user with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1 - 20.03 LTS SP2
metrics-servlets: before 3.1.2-4
metrics-servlet: before 3.1.2-4
metrics-parent: before 3.1.2-4
metrics-logback: before 3.1.2-4
metrics-log4j2: before 3.1.2-4
metrics-log4j: before 3.1.2-4
metrics-jvm: before 3.1.2-4
metrics-json: before 3.1.2-4
metrics-jersey2: before 3.1.2-4
metrics-jdbi: before 3.1.2-4
metrics-javadoc: before 3.1.2-4
metrics-httpclient: before 3.1.2-4
metrics-httpasyncclient: before 3.1.2-4
metrics-healthchecks: before 3.1.2-4
metrics-graphite: before 3.1.2-4
metrics-ganglia: before 3.1.2-4
metrics-ehcache: before 3.1.2-4
metrics-doc: before 3.1.2-4
metrics-benchmarks: before 3.1.2-4
metrics-annotation: before 3.1.2-4
HikariCP-help: before 2.4.3-7
datanucleus-api-jdo-javadoc: before 3.2.8-4
avalon-logkit-help: before 2.1-35
infinispan-help: before 8.2.4-11
jboss-logging-javadoc: before 3.3.0-8
jboss-logging: before 3.3.0-8
mx4j-manual: before 3.0.1-4
mx4j-javadoc: before 3.0.1-4
jgroups-help: before 3.6.10-9
datanucleus-core-javadoc: before 3.2.15-4
datanucleus-api-jdo: before 3.2.8-4
json-lib-help: before 2.4-20
jenkins-json-lib: before 2.4-20
thrift-qt: before 0.14.0-6
thrift-glib: before 0.14.0-6
thrift-devel: before 0.14.0-6
thrift-debugsource: before 0.14.0-6
python3-thrift: before 0.14.0-6
perl-thrift: before 0.14.0-6
libthrift-java: before 0.14.0-6
wildfly-core-javadoc: before 2.2.0-4
wildfly-core-feature-pack: before 2.2.0-4
wildfly-common-help: before 1.1.0-9
wildfly-server-provisioning-standalone: before 1.1.6-3
wildfly-server-provisioning-maven-plugin: before 1.1.6-3
wildfly-server-provisioning: before 1.1.6-3
wildfly-feature-pack-build-maven-plugin: before 1.1.6-3
wildfly-build-tools-javadoc: before 1.1.6-3
wildfly-elytron-javadoc: before 1.0.2-3
wildfly-security-manager-javadoc: before 1.1.2-3
springframework-web: before 3.2.18-11
springframework-tx: before 3.2.18-11
springframework-oxm: before 3.2.18-11
springframework-orm-hibernate4: before 3.2.18-11
springframework-orm: before 3.2.18-11
springframework-jms: before 3.2.18-11
springframework-jdbc: before 3.2.18-11
springframework-instrument: before 3.2.18-11
springframework-help: before 3.2.18-11
springframework-expression: before 3.2.18-11
springframework-context: before 3.2.18-11
springframework-beans: before 3.2.18-11
springframework-aop: before 3.2.18-11
netty-help: before 4.1.13-16
mybatis-javadoc: before 3.2.8-4
log4j-bom: before 2.17.0-3
log4j-jcl: before 2.17.0-3
log4j-jmx-gui: before 2.17.0-3
log4j-web: before 2.17.0-3
log4j-slf4j: before 2.17.0-3
log4j-taglib: before 2.17.0-3
log4j-help: before 2.17.0-3
avalon-framework: before 4.3-24
metrics: before 3.1.2-4
HikariCP: before 2.4.3-7
avalon-logkit: before 2.1-35
infinispan: before 8.2.4-11
mx4j: before 3.0.1-4
jgroups: before 3.6.10-9
datanucleus-core: before 3.2.15-4
json-lib: before 2.4-20
thrift: before 0.14.0-6
wildfly-core: before 2.2.0-4
wildfly-common: before 1.1.0-9
wildfly-build-tools: before 1.1.6-3
wildfly-elytron: before 1.0.2-3
wildfly-security-manager: before 1.1.2-3
netty: before 4.1.13-16
springframework: before 3.2.18-11
mybatis: before 3.2.8-4
log4j: before 2.17.0-3
avalon-framework-help: before 4.3-24
datanucleus-rdbms-javadoc: before 3.2.13-4
datanucleus-rdbms: before 3.2.13-4
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP2:*:*:*:*:*:*
- cpe:2.3:a:openeuler:metrics-servlets:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-servlet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-parent:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-logback:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-log4j2:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-log4j:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-jvm:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-json:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-jersey2:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-jdbi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-httpclient:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-httpasyncclient:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-healthchecks:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-graphite:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-ganglia:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-ehcache:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-doc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-benchmarks:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics-annotation:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:hikaricp-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:datanucleus-api-jdo-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:avalon-logkit-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:infinispan-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jboss-logging-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jboss-logging:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:mx4j-manual:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:mx4j-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jgroups-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:datanucleus-core-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:datanucleus-api-jdo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:json-lib-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jenkins-json-lib:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:thrift-qt:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:thrift-glib:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:thrift-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:thrift-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:python3-thrift:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:perl-thrift:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:libthrift-java:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-core-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-core-feature-pack:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-common-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-server-provisioning-standalone:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-server-provisioning-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-server-provisioning:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-feature-pack-build-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-build-tools-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-elytron-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-security-manager-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-web:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-tx:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-oxm:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-orm-hibernate4:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-orm:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-jms:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-jdbc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-instrument:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-expression:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-context:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-beans:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework-aop:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:netty-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:mybatis-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:log4j-bom:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:log4j-jcl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:log4j-jmx-gui:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:log4j-web:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:log4j-slf4j:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:log4j-taglib:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:log4j-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:avalon-framework:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:metrics:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:hikaricp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:avalon-logkit:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:infinispan:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:mx4j:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jgroups:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:datanucleus-core:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:json-lib:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:thrift:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-core:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-common:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-build-tools:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-elytron:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:wildfly-security-manager:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:netty:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:springframework:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:mybatis:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:log4j:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:avalon-framework-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:datanucleus-rdbms-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:datanucleus-rdbms:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1481
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
