Your message dated Fri, 24 Dec 2021 13:47:23 +0000 with message-id <e1n0kup-0001ql...@fasolo.debian.org> and subject line Bug#1001478: fixed in apache-log4j2 2.15.0-1~deb10u1 has caused the Debian Bug report #1001478, regarding apache-log4j2: CVE-2021-44228: Remote code injection via crafted log messages to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1001478: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001478 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apache-log4j2 Version: 2.13.3-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3198 https://github.com/apache/logging-log4j2/pull/608 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.11.1-2 Control: found -1 2.7-2 Hi, The following vulnerability was published for apache-log4j2. I'm still choosing grave for the severity, though there are some mitigating factors depending on the Java version used. See for details the references, in particular [3]. Additionally according to latest comments in [4] the issue seems not to be completely fixed. As the lookup is performed after formatting the message, which includes the user input, the vulnerability could still be triggered using a ParametrizedMessage. See [4] the comments from Eric Everman and Volkan Yazici. CVE-2021-44228[0]: | Apache Log4j2 <=2.14.1 JNDI features used in configuration, log | messages, and parameters do not protect against attacker controlled | LDAP and other JNDI related endpoints. An attacker who can control log | messages or log message parameters can execute arbitrary code loaded | from LDAP servers when message lookup substitution is enabled. From | log4j 2.15.0, this behavior has been disabled by default. In previous | releases (>2.10) this behavior can be mitigated by setting system | property "log4j2.formatMsgNoLookups" to &#8220;true&#8221; or | by removing the JndiLookup class from the classpath (example: zip -q | -d log4j-core-*.jar | org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 | (see | https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) | protects against remote code execution by defaulting | "com.sun.jndi.rmi.object.trustURLCodebase" and | "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false". If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-44228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 [1] https://github.com/advisories/GHSA-jfh8-c2jp-5v3q [2] https://github.com/apache/logging-log4j2/pull/608 [3] https://www.lunasec.io/docs/blog/log4j-zero-day/ [4] https://issues.apache.org/jira/browse/LOG4J2-3198 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: apache-log4j2 Source-Version: 2.15.0-1~deb10u1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of apache-log4j2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1001...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated apache-log4j2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 11 Dec 2021 17:15:53 +0100 Source: apache-log4j2 Architecture: source Version: 2.15.0-1~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 959450 1001478 Changes: apache-log4j2 (2.15.0-1~deb10u1) buster-security; urgency=high . * Team upload. * Backport version 2.15.0 to Buster and fix CVE-2021-44228. (Closes: #1001478) * Fix CVE-2020-9488: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. (Closes: #959450) Checksums-Sha1: ffb40479b8b219aab2a73fd1bbc4e12086d8578e 3051 apache-log4j2_2.15.0-1~deb10u1.dsc d4b0810508c362cfd489630533de78d4278341c6 7404 apache-log4j2_2.15.0-1~deb10u1.debian.tar.xz 76bc8ef9d881c568ea515ccfbe831ce0a5cc0e8d 9100 apache-log4j2_2.15.0-1~deb10u1_source.buildinfo Checksums-Sha256: 123a9b731ae57091470152930bfec501ac1fd25f2af582666680ee6ea195063b 3051 apache-log4j2_2.15.0-1~deb10u1.dsc fee79ef1a0e7590fda7dc859ab02cfcce3537e5b7df6e8feab12e7d6727f9c79 7404 apache-log4j2_2.15.0-1~deb10u1.debian.tar.xz f2c3a3501311a39c42343a3812b1d2c6244d9c40ecd520a57c26cdd19cb530a3 9100 apache-log4j2_2.15.0-1~deb10u1_source.buildinfo Files: 0ac4a794ec7e15b7f7b4df3ff2b872cc 3051 java optional apache-log4j2_2.15.0-1~deb10u1.dsc 4524ea50563045c06f5cd58fc4e452b5 7404 java optional apache-log4j2_2.15.0-1~deb10u1.debian.tar.xz 7be615a7f5ca0aac35581187c7fbb831 9100 java optional apache-log4j2_2.15.0-1~deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG04AFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkPGgQALQGlSnYBY5KQdwZfVClItJkUD5AkQOrTfZA 5jjAp10b7p2eFVCc5+b3KLI1F64bwkWMHv3knEYWvxMVEudRo4viO1XzCeY+74tj KXn7Zv3Gukr8knvOHC6l/GDlAumgR2J9BDaCDb/KFfNdhGBx743IuNt+2kVyT+fN mtPvpvIzfsLE4b9k9bpbjYKdey5tcsuYXV/nHhm54JrwpALjyKFedA6jkwMVpulw 6kQPNdzjEb0wi8s2D21qAVK+Ab7IkrhZ79ikt4J7L6vFVmKuiX7NBDYY3k4g5GNF ziG2X3qKyDW+ymVfphwFSP9VOA6cj7FIr3zqlQ+3w9WkRukp2ZD0O4FL6RMn3xEx wbZ6I8ANNnlBnh6+GPMSfkgalf6di/8UbcU6BTnYzaQfZkQYOZFDvHDzVMOT0K/A de2L3WXbwgTv9D5MgtQybCYmS/cdFNTpOkXf+Pu6B3SC++vFFon+XHFCcYZNE7zX R4q8h3+aE5CHKyqIT6gx4DesCmjwVQMrjGxzwyOPVYMaZ+cqKt8Laomwn/AXNJog GVGX4Nt/LTej9rAZioDxIrHMWtHbaub7WbCbGpK2VLWm7n29d+8G2Sh/NHlA7rs7 szpAPBrfgDYNL6vscJVBq+Xqik2br7jT9v5mdYLvb2CZb0LERQ/fWnQbK2mmyOKV nNWGI0hq =ngr2 -----END PGP SIGNATURE-----
--- End Message ---
