Your message dated Wed, 15 Dec 2021 02:33:37 +0000
with message-id <[email protected]>
and subject line Bug#1001729: fixed in apache-log4j2 2.16.0-1
has caused the Debian Bug report #1001729,
regarding apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in
certain non-default configurations
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1001729: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001729
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: apache-log4j2
Version: 2.15.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3221
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.15.0-1~deb11u1
Control: found -1 2.15.0-1~deb10u1
Hi,
The following vulnerability was published for apache-log4j2. Strictly
speaking it's less severe as CVE-2021-44228 as it is an incomplete fix
for the former CVE in certain non-default configurations.
CVE-2021-45046[0]:
| It was found that the fix to address CVE-2021-44228 in Apache Log4j
| 2.15.0 was incomplete in certain non-default configurations. This
| could allows attackers with control over Thread Context Map (MDC)
| input data when the logging configuration uses a non-default Pattern
| Layout with either a Context Lookup (for example, $${ctx:loginId}) or
| a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious
| input data using a JNDI Lookup pattern resulting in a denial of
| service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to
| localhost by default. Note that previous mitigations involving
| configuration such as to set the system property
| `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific
| vulnerability. Log4j 2.16.0 fixes this issue by removing support for
| message lookup patterns and disabling JNDI functionality by default.
| This issue can be mitigated in prior releases (<2.16.0) by removing
| the JndiLookup class from the classpath (example: zip -q -d
| log4j-core-*.jar
| org/apache/logging/log4j/core/lookup/JndiLookup.class).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
[1] https://issues.apache.org/jira/browse/LOG4J2-3221
[2] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046
[3] https://www.openwall.com/lists/oss-security/2021/12/14/4
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: apache-log4j2
Source-Version: 2.16.0-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
apache-log4j2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated apache-log4j2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Dec 2021 02:38:06 +0100
Source: apache-log4j2
Architecture: source
Version: 2.16.0-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1001729
Changes:
apache-log4j2 (2.16.0-1) unstable; urgency=high
.
* Team upload.
* New upstream version 2.16.0.
- Fix CVE-2021-45046:
It was found that the fix to address CVE-2021-44228 in Apache Log4j
2.15.0 was incomplete in certain non-default configurations. This could
allow attackers with control over Thread Context Map (MDC) input data
when the logging configuration uses a non-default Pattern Layout with
either a Context Lookup (for example, $${ctx:loginId}) or a Thread
Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data
using a JNDI Lookup pattern resulting in a denial of service (DOS)
attack.
Thanks to Salvatore Bonaccorso for the report. (Closes: #1001729)
Checksums-Sha1:
84452ae9920e07498d190f23dbb352de07cec021 3019 apache-log4j2_2.16.0-1.dsc
29ed458aa60e1821908564fd66438c6e9206e282 1285464
apache-log4j2_2.16.0.orig.tar.xz
b00e68c97b8d86f9a0320fc5e505382862693ac2 7424
apache-log4j2_2.16.0-1.debian.tar.xz
c4a092f6a451e43d3a1bebe5f30d9c391ad8e20f 14600
apache-log4j2_2.16.0-1_amd64.buildinfo
Checksums-Sha256:
0303d3a9221df4a1f8d71c6192fab55df6b7e3129d0ce1f0a05fa1b346b011e1 3019
apache-log4j2_2.16.0-1.dsc
d36a7556e7027819aaceef02838dcfaa3dd368f74f92b9585b2b6a442eb2194f 1285464
apache-log4j2_2.16.0.orig.tar.xz
bac5638d94b45cb184a15a7ae1e21f9b2facd58671a3cc78a5a83bc97d5037e5 7424
apache-log4j2_2.16.0-1.debian.tar.xz
679bf0ff52a54ccb8d8b48b26e7248bd2bb9b192819d29c99935c81aead9f687 14600
apache-log4j2_2.16.0-1_amd64.buildinfo
Files:
6db3941ea2f5e950f40eb254127ecb1b 3019 java optional apache-log4j2_2.16.0-1.dsc
d7a5e122b9ff61c6272c62347b25986b 1285464 java optional
apache-log4j2_2.16.0.orig.tar.xz
4ba7944a2006edf1a742a03cf1a24bf2 7424 java optional
apache-log4j2_2.16.0-1.debian.tar.xz
0196f7afd4acc39fc3c392ca44e261f7 14600 java optional
apache-log4j2_2.16.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG5SFpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkXuQP/Ag0g9Wx4umWdxrxyM7px1yz8RyhNgJMSMzc
/xWy6JLS7dltGYfyh3uzlcnxWjudAJ2X3lRYl7fTEu/S6lVpypSs3BsYci3PcZft
ePzM0G/W+B3cHiE452CTDgUqU+fH76HeMQq2Z4vOlsq2pzHohoHAuuMhdo5gAd46
zsxtOBCtXlHpOgJc8EEmCUoC/60aDQ8uy7s8bWhJ7oJvJNIr0iT4BnOoZzaihVzN
9ioUEUfHeiaMBqXYoIWpZZrAAte1ZDVD+5EPEXY8OoygsDOaaLtJZxFJhfhuwOut
E34XeR9RcWsk7vmdeQri+dQlAOaTSaMwJkBUeu14khzLXX34uoJUeAJZAQxXQuSn
UFNOFMUQt4oqHTjurW7KjMRqrqdHjtfjbhIwnSHnAfrJXbink4tiUbj1ozmi9CKX
VRVsMKWFhvvPKAphXxfVpV137Ky72TZP/OuOjprNly5WzncYhfHfIxVpcRTo4YLB
aHp+vkUNat51SPmMOZH6MNhEVqlAavapwb2Of6nxuDsj2WYVjHDW6qYs7ZfO0Xxm
DgqyHLribMGf31agzVG1cjXr/4fQk++NfB+YPMWJS3AXmdMHv/vBzf9cynTwfsfn
T7PO7FJOlP4kNJ3ebxLLTSGaH/WZh7Kz0JQq24EHqHBS68jA+cmiTdjm7fbTC06v
FU/IaJ7+
=P7V6
-----END PGP SIGNATURE-----
--- End Message ---
