Security vulnerability: log4j remote code execution aka log4shell CVE-2021-44228
This document (000020526) is provided subject to the disclaimer at the end of this document.
Environment
All products
Situation
A 0-day exploit in the log4j Java logging framework was found by Chen Zhaojun of Alibaba Cloud Security Team, which allowed remote attackers able to inject strings into log4j based Java logging to execute code by
exploiting the default enabled JNDI bindings. This is possible without any preconditions, making it critical.
exploiting the default enabled JNDI bindings. This is possible without any preconditions, making it critical.
Resolution
SUSE considers log4j versions 2.0 and newer as affected, log4j 1.2.x does not have the same critical vulnerability and is not considered affected by this CVE.
SUSE Linux Enterprise products do not ship log4j 2.x.
SUSE Manager does not ship log4j 2.x.
SUSE Enterprise Storage does not ship log4j 2.x.
SUSE Openstack Cloud embeds log4j2 in the "storm" component, which will receive updates.
SUSE NeuVector product does not ship log4j 2.x.
SUSE Rancher is not affected by this vulnerability. The Helm chart for Istio 1.5, provided by Rancher and which is currently deprecated, includes Zipkin and is vulnerable to Log4j. Customers are advised to upgrade to the recent Istio version provided in Cluster Explorer, which does not uses Zipkin and is not affect to the vulnerability.
Please refer to the upstream guidance from log4j on fixing and mitigation measures if you deploy your Java Application stacks.
SUSE Linux Enterprise products do not ship log4j 2.x.
SUSE Manager does not ship log4j 2.x.
SUSE Enterprise Storage does not ship log4j 2.x.
SUSE Openstack Cloud embeds log4j2 in the "storm" component, which will receive updates.
SUSE NeuVector product does not ship log4j 2.x.
SUSE Rancher is not affected by this vulnerability. The Helm chart for Istio 1.5, provided by Rancher and which is currently deprecated, includes Zipkin and is vulnerable to Log4j. Customers are advised to upgrade to the recent Istio version provided in Cluster Explorer, which does not uses Zipkin and is not affect to the vulnerability.
Please refer to the upstream guidance from log4j on fixing and mitigation measures if you deploy your Java Application stacks.
Status
Security Alert
Additional Information
Additional information can be found here:
The CVE-search will use meta-data within a patch to display the needed information. As there is no patch needed (as SUSE is not effected), the CVE-search for CVE-2021-44228 will return a "not found".
- https://suse.com/security/cve/CVE-2021-44228.html
- https://www.suse.com/c/suse-statement-on-log4j-log4shell-cve-2021-44228-vulnerability/
- https://logging.apache.org/log4j/2.x/security.html
The CVE-search will use meta-data within a patch to display the needed information. As there is no patch needed (as SUSE is not effected), the CVE-search for CVE-2021-44228 will return a "not found".
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020526
- Creation Date: 13-Dec-2021
- Modified Date:15-Dec-2021
-
- SUSE Enterprise Storage
- SUSE Linux Enterprise Server
- SUSE Open Stack Cloud
- SUSE Manager
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
