Vulmon
Amazon Linux 2022 Security Advisory: ALAS-2021-004
Advisory Release Date: 2021-12-17 17:30 Pacific
Advisory Updated Date: 2021-12-17 22:31 Pacific
Severity:
Critical
References:
CVE-2021-45046
Issue Overview:
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. (CVE-2021-45046)
Affected Packages:
log4j
Issue Correction:
Run dnf update --releasever=2022.0.20211217 log4j to update your system.
New Packages:
noarch:
log4j-jcl-2.16.0-1.amzn2022.noarch
log4j-slf4j-2.16.0-1.amzn2022.noarch
log4j-2.16.0-1.amzn2022.noarch
src:
log4j-2.16.0-1.amzn2022.src