Debian Bug report logs -
#1002813
apache-log4j2: CVE-2021-44832: remote code execution via JDBC Appender
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1002813; Package src:apache-log4j2.
(Wed, 29 Dec 2021 08:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 29 Dec 2021 08:15:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: apache-log4j2
Version: 2.17.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3293
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.17.0-1~deb11u1
Control: found -1 2.17.0-1~deb10u1
Control: found -1 2.12.3-0+deb9u1
Hi,
The following vulnerability was published for apache-log4j2, which is
fixed in 2.17.1 and the security releases 2.12.4 and 2.3.2.
CVE-2021-44832[0]:
| Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security
| fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code
| execution (RCE) attack where an attacker with permission to modify the
| logging configuration file can construct a malicious configuration
| using a JDBC Appender with a data source referencing a JNDI URI which
| can execute remote code. This issue is fixed by limiting JNDI data
| source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4,
| and 2.3.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-44832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
[1] https://issues.apache.org/jira/browse/LOG4J2-3293
[2] https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
Regards,
Salvatore
Marked as found in versions apache-log4j2/2.17.0-1~deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 29 Dec 2021 08:15:04 GMT) (full text, mbox, link).
Marked as found in versions apache-log4j2/2.17.0-1~deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 29 Dec 2021 08:15:04 GMT) (full text, mbox, link).
Marked as found in versions apache-log4j2/2.12.3-0+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 29 Dec 2021 08:15:05 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Wed, 29 Dec 2021 11:36:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 29 Dec 2021 11:36:05 GMT) (full text, mbox, link).
Message #16 received at 1002813-close@bugs.debian.org (full text, mbox, reply):
Source: apache-log4j2
Source-Version: 2.17.1-1
Done: Markus Koschany <apo@debian.org>
We believe that the bug you reported is fixed in the latest version of
apache-log4j2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1002813@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated apache-log4j2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 Dec 2021 11:44:21 +0100
Source: apache-log4j2
Architecture: source
Version: 2.17.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 1002813
Changes:
apache-log4j2 (2.17.1-1) unstable; urgency=high
.
* Team upload.
* New upstream version 2.17.1.
- Fix CVE-2021-44832:
Apache Log4j2 is vulnerable to a remote code execution
(RCE) attack where an attacker with permission to modify the logging
configuration file can construct a malicious configuration using a JDBC
Appender with a data source referencing a JNDI URI which can execute
remote code. This issue is fixed by limiting JNDI data source names to
the java protocol.
Thanks to Salvatore Bonaccorso for the report. (Closes: #1002813)
Checksums-Sha1:
f813d89a019d3d44d85af95584936d8925b96aa4 3019 apache-log4j2_2.17.1-1.dsc
e1c06710e675182f651e8ce0784baacf806ecb55 1291432 apache-log4j2_2.17.1.orig.tar.xz
bb35850181b0860bd2903f7062e0e4d9ea8a9d1d 7664 apache-log4j2_2.17.1-1.debian.tar.xz
fa6483acc9587e0d02a49557ee9f1063c8ef84bb 14846 apache-log4j2_2.17.1-1_amd64.buildinfo
Checksums-Sha256:
b9a277fc77c1f885dfd1245f5ffb39dd134cc7ddc3683f9ed74f8b1ab5c5c1e9 3019 apache-log4j2_2.17.1-1.dsc
c7139fdcad10a8470da5c3f8d818c3eefe63c88e21518c27e558048ed3b90b15 1291432 apache-log4j2_2.17.1.orig.tar.xz
118439225ec8cf5a5c63b0b59ef7311026be74a9c012d698e907cf5b3f4188fe 7664 apache-log4j2_2.17.1-1.debian.tar.xz
348c147376f252582e75db839c112a4f11e8abb9381cc1bc43ba2f8cdb64cbbe 14846 apache-log4j2_2.17.1-1_amd64.buildinfo
Files:
d702a1fb3bf2a5cf2e6cd93f7ffc672f 3019 java optional apache-log4j2_2.17.1-1.dsc
6699f6c7aff5a7bb0ae6be954e0ee863 1291432 java optional apache-log4j2_2.17.1.orig.tar.xz
abb8db63adfe302f10fb62aae463d66f 7664 java optional apache-log4j2_2.17.1-1.debian.tar.xz
09800483666d7f9218b8493683d3f058 14846 java optional apache-log4j2_2.17.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmHMQ9BfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkF6IQAJBsiEevHMm9QPYQLWlehP+o56YHux+j39Tt
+Fc1XCC0OQaovFS5FV71hauDTj6DR/kdQ1DdRvkh4aWFGjQCANfUfqU1LO4bI3s7
+WwfcFxxoEoQND2pBLwwOKVss43sfSnab+Iyb20GfauxWhw9IEgff/mlGIU8wixJ
NhNgw5xVeVT9qoOYI5yRPE8FhPCoqxYED+Fuforg3uKAzhh4FaXIIE7ss5+n0rnM
CNu+vNYl+CvVpE3xfwDTVxudwTRn0qhUxlvNKzawQanWKCuYmdrihnjiywZFT9tO
xgE9V337X1iVPSn3ZEck6EQG4VZswS6zDtEk90RVysuuZK0wEGNDX+7/h7PbHPmo
iLNlud8qG+Fc1aDAbLiFVdHidlpdStoHiIF1ID15z2JcnW7+z2WKybRJ1kwbvaOB
WP4OiuqeOEhjLNTyDIvWdu+xC25/BW/jGFHEP1Piw1V8daJ+PEqVSuP+J252eQ6q
anfDZcq4FCsXbkEe5bdy1Aow13E+iXocQSRhHMH6WsEJWbIy8EC3mocBkZ3M+iuu
4hPvsjDOCc/zdplpCYDIk4vNlcmweOPeGmVVt73YiYQdatRNn0vGIQNJpnQkDT2+
3ETAZLXSvHoGhKtOtSUADeZD8/XfRviwBdJb4HHVcCu7y/sKMnBLxZ9/ml8qLO2W
N2DgtyZQ
=pzaA
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Dec 29 14:40:43 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon