All errata/sisyphus/ALT-PU-2022-7659-2
ALT-PU-2022-7659-2

Package update log4j in branch sisyphus

Version2.17.2-alt1_1jpp11
Task#303053
Published2026-02-04
Max severityMEDIUM
Severity:

Closed issues (3)

BDU:2022-00044
MEDIUM6.6

Уязвимость библиотеки журналирования Java-программ Apache Log4j2, связанная с отсутствием дополнительных элементов управления доступом JNDI, позволяющая нарушителю выполнить произвольный код

Published: 2022-01-10Modified: 2024-10-02
CVSS 3.xMEDIUM 6.6
CVSS:3.x/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 7.1
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:C/A:C
References
CVE-2021-44832
MEDIUM6.6

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Published: 2021-12-28Modified: 2024-11-21
CVSS 2.0HIGH 8.5
CVSS:2.0/AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSS 3.xMEDIUM 6.6
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
References
GHSA-8489-44mv-ggj8
MEDIUM6.6

Improper Input Validation and Injection in Apache Log4j2

Published: 2022-01-04Modified: 2025-05-09
CVSS 3.xMEDIUM 6.6
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
References