Overview

File _patchinfo of Package patchinfo.22206

<patchinfo incident="22206">
  <issue tracker="cve" id="2021-44228"/>
  <issue tracker="cve" id="2021-45046"/>
  <issue tracker="bnc" id="1193611">CVE-2021-44228: log4j: remote code execution via the ldap JNDI parser</issue>
  <issue tracker="bnc" id="1193743">VUL-0: CVE-2021-45046: storm,log4j12,log4j,slf4j: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack</issue>
  <packager>psimons</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for log4j</summary>
  <description>This update for log4j fixes the following issue:

CVE-2021-44228: The previously published fix by upstream turned out to be
incomplete. Therefore, upstream has recommended disabling JNDI support in log4j
by default to be completely sure that this vulnerability cannot be exploited.

This update implements that recommendation and disables JNDI support by
default. [bsc#1193611, CVE-2021-44228]

CVE-2021-45046: A Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack 
is also fixed by disabling JNDI support by default (bsc#1193743)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places