Your message dated Sun, 12 Dec 2021 12:17:08 +0000 with message-id <e1mwnmu-0007dj...@fasolo.debian.org> and subject line Bug#1001478: fixed in apache-log4j2 2.15.0-1~deb11u1 has caused the Debian Bug report #1001478, regarding apache-log4j2: CVE-2021-44228: Remote code injection via crafted log messages to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1001478: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001478 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apache-log4j2 Version: 2.13.3-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3198 https://github.com/apache/logging-log4j2/pull/608 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.11.1-2 Control: found -1 2.7-2 Hi, The following vulnerability was published for apache-log4j2. I'm still choosing grave for the severity, though there are some mitigating factors depending on the Java version used. See for details the references, in particular [3]. Additionally according to latest comments in [4] the issue seems not to be completely fixed. As the lookup is performed after formatting the message, which includes the user input, the vulnerability could still be triggered using a ParametrizedMessage. See [4] the comments from Eric Everman and Volkan Yazici. CVE-2021-44228[0]: | Apache Log4j2 <=2.14.1 JNDI features used in configuration, log | messages, and parameters do not protect against attacker controlled | LDAP and other JNDI related endpoints. An attacker who can control log | messages or log message parameters can execute arbitrary code loaded | from LDAP servers when message lookup substitution is enabled. From | log4j 2.15.0, this behavior has been disabled by default. In previous | releases (>2.10) this behavior can be mitigated by setting system | property "log4j2.formatMsgNoLookups" to &#8220;true&#8221; or | by removing the JndiLookup class from the classpath (example: zip -q | -d log4j-core-*.jar | org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 | (see | https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) | protects against remote code execution by defaulting | "com.sun.jndi.rmi.object.trustURLCodebase" and | "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false". If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 [1] https://github.com/advisories/GHSA-jfh8-c2jp-5v3q [2] https://github.com/apache/logging-log4j2/pull/608 [3] https://www.lunasec.io/docs/blog/log4j-zero-day/ [4] https://issues.apache.org/jira/browse/LOG4J2-3198 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: apache-log4j2 Source-Version: 2.15.0-1~deb11u1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of apache-log4j2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1001...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated apache-log4j2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 11 Dec 2021 17:15:53 +0100 Source: apache-log4j2 Architecture: source Version: 2.15.0-1~deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1001478 Changes: apache-log4j2 (2.15.0-1~deb11u1) bullseye-security; urgency=high . * Team upload. * Backport version 2.15.0 to Bullseye and fix CVE-2021-44228. (Closes: #1001478) Checksums-Sha1: 9bdf8df046f74a2fe9041610969fed5c8c0c88c4 3051 apache-log4j2_2.15.0-1~deb11u1.dsc 9af1682ea5a76d1462f01ca3065359ecbd87905c 1288012 apache-log4j2_2.15.0.orig.tar.xz bc7d0fa80f695ddb7359c50296df4846b77618d3 7252 apache-log4j2_2.15.0-1~deb11u1.debian.tar.xz e3ad9c54152e74176dda686c869efe7e5b0be691 9100 apache-log4j2_2.15.0-1~deb11u1_source.buildinfo Checksums-Sha256: 299154c0008101896e1c06e7440ab377b19c5fac77b130a6b4ae387669a61a76 3051 apache-log4j2_2.15.0-1~deb11u1.dsc bfe55d5b3b6e636cc45c7f8ab35a531e14d9b07c33c6b1afe098571b0a71a02a 1288012 apache-log4j2_2.15.0.orig.tar.xz 95e71fe603cc2a51d1ed5006f5feec7b2b5bd10779abd68128478cf94f08c98d 7252 apache-log4j2_2.15.0-1~deb11u1.debian.tar.xz a933aae448fa54ee4b3db8e7b047efe813cbfda62bf148ab0f7ad91a9049ac39 9100 apache-log4j2_2.15.0-1~deb11u1_source.buildinfo Files: 00e948f3b0eb7a1e47c2c2e2d2a7a543 3051 java optional apache-log4j2_2.15.0-1~deb11u1.dsc 34d5e5f1178d1056199f13336cadfe16 1288012 java optional apache-log4j2_2.15.0.orig.tar.xz 03fa92f29ee793a937cef927bf058809 7252 java optional apache-log4j2_2.15.0-1~deb11u1.debian.tar.xz 7f1b4cf2006b9bf997f1afb6743ffcdb 9100 java optional apache-log4j2_2.15.0-1~deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG005BfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkqLcP/Rg9o90Vqr7vyWP6Clsf9rNL8T+5/+WhkrHo VwsG8f151yvY8y0lviNiwAdBnD1vzaBWbcpsr/js0a0rFbqWF3+D3amTsfaJKExt rG+R9TAC6uar0pXVNWxJNk/s5ReXSzRzlcZHVNKixMHcrNJCV2IGTDwm1PWeR4s+ 5rO9534cxiZ1vlSFsa/DZFq052ZEPKd2hwLQZMqHJksNQk+79kVESKU02nnwaX97 Ray+4+btX7NtQbnBgAuMVFu5Ij0a/f4Y3t7UW0lBefp5hY5v1DwXsFkjhWbn1xZJ Jbft1MrRQzRgmgK5oHPxWjd46edstl+1+KG632YZzOV1+OeHEYzbdC2RZq2JJpO+ GH7wtwEw9IwFQMY8k0OW0FWbesEqsoSdxcy1AisKel9JViyRnet32hZ8KCzf0Xr6 5egYNucUPcu7kLnXpu2odh8BMVVWD1tld8QI05T4zQkB969LIGpacRse2Jl8iONE +418KY3TRGT0TkqDlxi57NMPceBxIMQ69PyLvYqK2nChuz2Y0hfDQAEjAbHMPVG/ xwzOgylPMYllDujmgbbzDRPYEf8ALjk0854h4WHPeF4puwyf8IWCOS5YX7m7HWcw pUUrtTRzYyc+S1lJLcFgBvaRApyZ0096bMNEnJr4QoAM3DHHccIPR/gruwDLRag7 tQ4+hfoq =xYtZ -----END PGP SIGNATURE-----
--- End Message ---
