apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations

Debian Bug report logs - #1001729
apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations

Date: Tue, 14 Dec 2021 21:37:07 +0100

Source: apache-log4j2
Version: 2.15.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3221
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.15.0-1~deb11u1
Control: found -1 2.15.0-1~deb10u1

Hi,

The following vulnerability was published for apache-log4j2. Strictly
speaking it's less severe as CVE-2021-44228 as it is an incomplete fix
for the former CVE in certain non-default configurations.

CVE-2021-45046[0]:
| It was found that the fix to address CVE-2021-44228 in Apache Log4j
| 2.15.0 was incomplete in certain non-default configurations. This
| could allows attackers with control over Thread Context Map (MDC)
| input data when the logging configuration uses a non-default Pattern
| Layout with either a Context Lookup (for example, $${ctx:loginId}) or
| a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious
| input data using a JNDI Lookup pattern resulting in a denial of
| service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to
| localhost by default. Note that previous mitigations involving
| configuration such as to set the system property
| `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific
| vulnerability. Log4j 2.16.0 fixes this issue by removing support for
| message lookup patterns and disabling JNDI functionality by default.
| This issue can be mitigated in prior releases (&lt;2.16.0) by removing
| the JndiLookup class from the classpath (example: zip -q -d
| log4j-core-*.jar
| org/apache/logging/log4j/core/lookup/JndiLookup.class).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-45046
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
[1] https://issues.apache.org/jira/browse/LOG4J2-3221
[2] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046
[3] https://www.openwall.com/lists/oss-security/2021/12/14/4

Regards,
Salvatore

Message #14 received at 1001729@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1001729@bugs.debian.org

Subject: Re: Bug#1001729: apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations

Date: Tue, 14 Dec 2021 23:45:20 +0100

[Message part 1 (text/plain, inline)]

Control: owner -1 !

Am Dienstag, dem 14.12.2021 um 21:37 +0100 schrieb Salvatore Bonaccorso:
> Source: apache-log4j2
> Version: 2.15.0-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3221
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team
> <team@security.debian.org>
> Control: found -1 2.15.0-1~deb11u1
> Control: found -1 2.15.0-1~deb10u1
> 
> Hi,
> 
> The following vulnerability was published for apache-log4j2. Strictly
> speaking it's less severe as CVE-2021-44228 as it is an incomplete fix
> for the former CVE in certain non-default configurations.

Hi Salvatore,

I believe Stretch is not vulnerable to CVE-2021-45046 because I have removed
the JndiLookup class when I fixed CVE-2021-44228.

Shall I release a new DSA for CVE-2021-45046 or a regression update for CVE-
2021-44228 because of the incomplete upstream fix?

Regards,

Markus

[signature.asc (application/pgp-signature, inline)]

Message #21 received at 1001729-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1001729-close@bugs.debian.org

Subject: Bug#1001729: fixed in apache-log4j2 2.16.0-1

Date: Wed, 15 Dec 2021 02:33:37 +0000

Source: apache-log4j2
Source-Version: 2.16.0-1
Done: Markus Koschany <apo@debian.org>

We believe that the bug you reported is fixed in the latest version of
apache-log4j2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1001729@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated apache-log4j2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Dec 2021 02:38:06 +0100
Source: apache-log4j2
Architecture: source
Version: 2.16.0-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 1001729
Changes:
 apache-log4j2 (2.16.0-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream version 2.16.0.
     - Fix CVE-2021-45046:
       It was found that the fix to address CVE-2021-44228 in Apache Log4j
       2.15.0 was incomplete in certain non-default configurations. This could
       allow attackers with control over Thread Context Map (MDC) input data
       when the logging configuration uses a non-default Pattern Layout with
       either a Context Lookup (for example, $${ctx:loginId}) or a Thread
       Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data
       using a JNDI Lookup pattern resulting in a denial of service (DOS)
       attack.
       Thanks to Salvatore Bonaccorso for the report. (Closes: #1001729)
Checksums-Sha1:
 84452ae9920e07498d190f23dbb352de07cec021 3019 apache-log4j2_2.16.0-1.dsc
 29ed458aa60e1821908564fd66438c6e9206e282 1285464 apache-log4j2_2.16.0.orig.tar.xz
 b00e68c97b8d86f9a0320fc5e505382862693ac2 7424 apache-log4j2_2.16.0-1.debian.tar.xz
 c4a092f6a451e43d3a1bebe5f30d9c391ad8e20f 14600 apache-log4j2_2.16.0-1_amd64.buildinfo
Checksums-Sha256:
 0303d3a9221df4a1f8d71c6192fab55df6b7e3129d0ce1f0a05fa1b346b011e1 3019 apache-log4j2_2.16.0-1.dsc
 d36a7556e7027819aaceef02838dcfaa3dd368f74f92b9585b2b6a442eb2194f 1285464 apache-log4j2_2.16.0.orig.tar.xz
 bac5638d94b45cb184a15a7ae1e21f9b2facd58671a3cc78a5a83bc97d5037e5 7424 apache-log4j2_2.16.0-1.debian.tar.xz
 679bf0ff52a54ccb8d8b48b26e7248bd2bb9b192819d29c99935c81aead9f687 14600 apache-log4j2_2.16.0-1_amd64.buildinfo
Files:
 6db3941ea2f5e950f40eb254127ecb1b 3019 java optional apache-log4j2_2.16.0-1.dsc
 d7a5e122b9ff61c6272c62347b25986b 1285464 java optional apache-log4j2_2.16.0.orig.tar.xz
 4ba7944a2006edf1a742a03cf1a24bf2 7424 java optional apache-log4j2_2.16.0-1.debian.tar.xz
 0196f7afd4acc39fc3c392ca44e261f7 14600 java optional apache-log4j2_2.16.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG5SFpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkXuQP/Ag0g9Wx4umWdxrxyM7px1yz8RyhNgJMSMzc
/xWy6JLS7dltGYfyh4uzlcnxWjudAJ2X3lRYl7fTEu/S6lVpypSs3BsYci3PcZft
ePzM0G/W+B3cHiE452CTDgUqU+fH76HeMQq2Z4vOlsq2pzHohoHAuuMhdo5gAd46
zsxtOBCtXlHpOgJc8EEmCUoC/60aDQ8uy7s8bWhJ7oJvJNIr0iT4BnOoZzaihVzN
9ioUEUfHeiaMBqXYoIWpZZrAAte1ZDVD+5EPEXY8OoygsDOaaLtJZxFJhfhuwOut
E34XeR9RcWsk7vmdeQri+dQlAOaTSaMwJkBUeu14khzLXX34uoJUeAJZAQxXQuSn
UFNOFMUQt4oqHTjurW7KjMRqrqdHjtfjbhIwnSHnAfrJXbink4tiUbj1ozmi9CKX
VRVsMKWFhvvPKAphXxfVpV137Ky72TZP/OuOjprNly5WzncYhfHfIxVpcRTo4YLB
aHp+vkUNat51SPmMOZH6MNhEVqlAavapwb2Of6nxuDsj2WYVjHDW6qYs7ZfO0Xxm
DgqyHLribMGf31agzVG1cjXr/4fQk++NfB+YPMWJS3AXmdMHv/vBzf9cynTwfsfn
T7PO7FJOlP4kNJ3ebxLLTSGaH/WZh7Kz0JQq24EHqHBS68jA+cmiTdjm7fbTC06v
FU/IaJ7+
=P7V6
-----END PGP SIGNATURE-----

Message #26 received at 1001729@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Markus Koschany <apo@debian.org>

Cc: 1001729@bugs.debian.org

Subject: Re: Bug#1001729: apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations

Date: Wed, 15 Dec 2021 06:50:38 +0100

Hi Markus,

On Tue, Dec 14, 2021 at 11:45:20PM +0100, Markus Koschany wrote:
> Control: owner -1 !
> 
> Am Dienstag, dem 14.12.2021 um 21:37 +0100 schrieb Salvatore Bonaccorso:
> > Source: apache-log4j2
> > Version: 2.15.0-1
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3221
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team
> > <team@security.debian.org>
> > Control: found -1 2.15.0-1~deb11u1
> > Control: found -1 2.15.0-1~deb10u1
> > 
> > Hi,
> > 
> > The following vulnerability was published for apache-log4j2. Strictly
> > speaking it's less severe as CVE-2021-44228 as it is an incomplete fix
> > for the former CVE in certain non-default configurations.
> 
> Hi Salvatore,
> 
> I believe Stretch is not vulnerable to CVE-2021-45046 because I have removed
> the JndiLookup class when I fixed CVE-2021-44228.

Oh, good in this case I would mark it with something along the lines:

	[stretch] - apache-log4j2 <not-affected> (Incomplete fix for CVE-2021-44228 not applied; JndiLookup class removed as part of fix for CVE-2021-44228)

> Shall I release a new DSA for CVE-2021-45046 or a regression update for CVE-
> 2021-44228 because of the incomplete upstream fix?

You are right, it might be a bit borderline towards a "regression
update". But as it is considered both a CVE assigned because of an
incomplete fix, but still can be seen as own issue I would just
allocate a new DSA number for the update and make it a regular
security update. 

My reasoning here is is not, that the CVE-2021-44228 was thought to be
meant to be addressed remains unfixed, but some other edge  cases were
not covered, making the fix incomplete, but still beeing a  own
"issue".

So just allocate a new DSA for it covering the CVE-2021-45046 CVE.

Thanks for working on the update!

Regards,
Salvatore

Send a report that this bug log contains spam.