openSUSE-SU-2021:4094-1

See a problem?

Import Source

https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2021:4094-1.json

JSON Data

https://api.osv.dev/v1/vulns/openSUSE-SU-2021:4094-1

Related

Published

2021-12-15T10:17:28Z

Modified

2021-12-15T10:17:28Z

Summary

Security update for log4j

Details

This update for log4j fixes the following issue:

CVE-2021-44228: The previously published fix by upstream turned out to be incomplete. Therefore, upstream has recommended disabling JNDI support in log4j by default to be completely sure that this vulnerability cannot be exploited.

This update implements that recommendation and disables JNDI support by default. [bsc#1193611, CVE-2021-44228]

CVE-2021-45046: A Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack is also fixed by disabling JNDI support by default (bsc#1193743)

References

Affected packages

openSUSE:Leap 15.3 / log4j

Package

Name: log4j
Purl: purl:rpm/suse/log4j&distro=openSUSE%20Leap%2015.3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13.0-4.6.1

Ecosystem specific

{
    "binaries": [
        {
            "log4j-jcl": "2.13.0-4.6.1",
            "log4j": "2.13.0-4.6.1",
            "log4j-javadoc": "2.13.0-4.6.1",
            "log4j-slf4j": "2.13.0-4.6.1"
        }
    ]
}