It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.
It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.
https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:
https://access.redhat.com/errata/RHSA-2021:5108
https://access.redhat.com/errata/RHSA-2021:5107
https://access.redhat.com/errata/RHSA-2021:5106
For the complete fix, customers should upgrade to the images shipped in these advisories:
4.8.24: https://access.redhat.com/errata/RHSA-2021:5183
4.7.40: https://access.redhat.com/errata/RHSA-2021:5184
4.6.52 https://access.redhat.com/errata/RHSA-2021:5186
The OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.
Please follow the Mitigation advice for the original CVEs.