Your message dated Sat, 11 Dec 2021 15:18:38 +0000 with message-id <e1mw490-000afb...@fasolo.debian.org> and subject line Bug#1001478: fixed in apache-log4j2 2.15.0-1 has caused the Debian Bug report #1001478, regarding apache-log4j2: CVE-2021-44228: Remote code injection via crafted log messages to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1001478: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001478 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apache-log4j2 Version: 2.13.3-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3198 https://github.com/apache/logging-log4j2/pull/608 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.11.1-2 Control: found -1 2.7-2 Hi, The following vulnerability was published for apache-log4j2. I'm still choosing grave for the severity, though there are some mitigating factors depending on the Java version used. See for details the references, in particular [3]. Additionally according to latest comments in [4] the issue seems not to be completely fixed. As the lookup is performed after formatting the message, which includes the user input, the vulnerability could still be triggered using a ParametrizedMessage. See [4] the comments from Eric Everman and Volkan Yazici. CVE-2021-44228[0]: | Apache Log4j2 <=2.14.1 JNDI features used in configuration, log | messages, and parameters do not protect against attacker controlled | LDAP and other JNDI related endpoints. An attacker who can control log | messages or log message parameters can execute arbitrary code loaded | from LDAP servers when message lookup substitution is enabled. From | log4j 2.15.0, this behavior has been disabled by default. In previous | releases (>2.10) this behavior can be mitigated by setting system | property "log4j2.formatMsgNoLookups" to &#8220;true&#8221; or | by removing the JndiLookup class from the classpath (example: zip -q | -d log4j-core-*.jar | org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 | (see | https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) | protects against remote code execution by defaulting | "com.sun.jndi.rmi.object.trustURLCodebase" and | "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false". If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 [1] https://github.com/advisories/GHSA-jfh8-c2jp-5v3q [2] https://github.com/apache/logging-log4j2/pull/608 [3] https://www.lunasec.io/docs/blog/log4j-zero-day/ [4] https://issues.apache.org/jira/browse/LOG4J2-3198 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: apache-log4j2 Source-Version: 2.15.0-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of apache-log4j2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1001...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated apache-log4j2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 11 Dec 2021 15:01:57 +0100 Source: apache-log4j2 Architecture: source Version: 2.15.0-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1001478 Changes: apache-log4j2 (2.15.0-1) unstable; urgency=high . * Team upload. * New upstream version 2.15.0. - Fix CVE-2021-44228: Chen Zhaojun of Alibaba Cloud Security Team discovered that JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From version 2.15.0, this behavior has been disabled by default. (Closes: #1001478) * Update debian/watch to track the latest releases. * Declare compliance with Debian Policy 4.6.0. Checksums-Sha1: 94ee1f654281c0a1367bc61a2dd1810b2813f9a3 3019 apache-log4j2_2.15.0-1.dsc 9af1682ea5a76d1462f01ca3065359ecbd87905c 1288012 apache-log4j2_2.15.0.orig.tar.xz 886483b6ea263ba996b339e7f7a68934454bfaec 7168 apache-log4j2_2.15.0-1.debian.tar.xz 2daa4f1f6c8a371f989daa91a3c915b3de409e17 14600 apache-log4j2_2.15.0-1_amd64.buildinfo Checksums-Sha256: 221286f075e51ff2d6154ae6b420c65e5d4e828885bb7a3384f6537b27ed2456 3019 apache-log4j2_2.15.0-1.dsc bfe55d5b3b6e636cc45c7f8ab35a531e14d9b07c33c6b1afe098571b0a71a02a 1288012 apache-log4j2_2.15.0.orig.tar.xz 23837f95be4b7f7870b7308322de52c4bb676b8f74c6ac22a4b441caf0904386 7168 apache-log4j2_2.15.0-1.debian.tar.xz 07964f43e7526d01eaf470144c686fd1fe9fcb53b392e8b03cebec4bffa57ab4 14600 apache-log4j2_2.15.0-1_amd64.buildinfo Files: d8ceba7cedd0bd4bd6177bbd8882ff99 3019 java optional apache-log4j2_2.15.0-1.dsc 34d5e5f1178d1056199f13336cadfe16 1288012 java optional apache-log4j2_2.15.0.orig.tar.xz 2ed6526293de4ae7241e2de9a90836b8 7168 java optional apache-log4j2_2.15.0-1.debian.tar.xz 39c2b3a6cfc2c65e67726f37ce5b8f73 14600 java optional apache-log4j2_2.15.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG0vn9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkaEUP/1khegZ35YpUydHYV4cn5+tUwWetu3abgTR6 3pLaBMuSqMCx7DoqUpzIlecoz7JIxWmVYyMQj09HTbmA0Dst/MNXlD9+4LWOLHX0 gYyk0co9VJ7J3Y+67ruu6qYYVsjMmwdRQz1XwgbihmBmPFuIvrqgVomTsTEZzHFu jsGIvMIkjRGcjhCkkOuVq8llzaT9rxovbHVFgTDURoDwpxdlCxL40URyRm3GljfO meH6ZZ+oeYcznjC8D8nGdulDlQr6zXEEJee0agWOq6uEh6xPGIDCpMhWBF+Nd9Uq BNn+1nyzssHl1fvDGaepVQmlVDanCRUQ3GS31cwKIn1jcHaGFL6wO+YYNQtGXt1i xcVtCSImA0WkyaoL5ionKJBjOm54BYyPPszMNuMMIQbqtv7KdzDUIDkYLVgtaDSk /3F+m3XZrEP1oKYXR9KJPk7PjVjHN8bGzusonwwEWjo4IYJUK58rJRiH9sYwiv34 m1D9+4YHcErLxedSoLauW2gGR9sKH6Pw8BLkIJyM4nqnPuldA2lRc3GmwzWZhjSl rj/8jwwGaMjTfBpGRjpICBmKjS75kaH9+nfuONK5XR4eiRB9Uk89AjIJFhE6f2/E pz5k9BS8EVHD8te/ywkxaiLxaDOqPN6Td6bHhIeHstMS14z/DQbjxFBY0mIuCAZP 8vrsmEz4 =2VhD -----END PGP SIGNATURE-----
--- End Message ---
