Wind River Support Network

HomeSafety and Security NoticesWind River Security Vulnerability Notice: CVE-2021-44228, CVE-2021-4104, CVE-2021-45046, CVE-2021-45105, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307
Recommended

Wind River Security Vulnerability Notice: CVE-2021-44228, CVE-2021-4104, CVE-2021-45046, CVE-2021-45105, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307

Released: Dec 13, 2021     Updated: Jan 19, 2022

Summary

Wind River Linux is not affected by CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2022-23302, CVE-2022-23305 or CVE-2022-23307. WRLinux 8 and earlier release is not affected by CVE-2021-4104 provided the JMSAppender component has not been manually activated.

Affected Product Versions

Wind River Linux LTS 21, Wind River Linux CD, Wind River Linux LTS 19, Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 5, Wind River Linux 6, Wind River Linux 7, Wind River Linux 8

Description

CVE-2021-44228(urgent): Apache released version 2.15.0 of their Log4j framework which included a fix for CVE-2021-44228, a critical (CVSSv3 10) remote code execution (RCE) vulnerability affecting Apache Log4j 2.14.1 and earlier versions. Successful exploitation of CVE-2021-44228 can allow a remote, unauthenticated attacker to take full control of a vulnerable target system.

CVE-2021-45046(urgent): It was found that the fix to address CVE-2021-44228(the CVE above) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).


CVE-2021-45105(high): Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

CVE-2021-4104(medium): Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2.


CVE-2022-23302(medium): JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104.

Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default.


CVE-2022-23305(high): By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converted from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs.


CVE-2022-23307(high): A deserialization flaw was found in Apache log4j 1.2.x. While reading serialized log events, they are improperly deserialized. an attacker could
Note this is the same as CVE-2020-9493 which identified a deserialization issue in Apache Chainsaw. Prior to Chainsaw V2.0, Chainsaw was a component of Apache Log4j 1.2.x.


CVE-2021-4104 is a medium security issue, to use it, the attacker must have write access to the Log4j configuration and JMSAppender must be active to use it (Which is not the Default).


CVE-2021-44228 and later CVE-2021-45046, CVE-2021-45105 are urgent security issues. WRLinux is not affected by these Vulnerabilities.

Wind River Linux Versions 8.0 and prior are not affected by CVE-2021-4104 provided the JMSAppender component is not manually activated. see details below

What software is known to be affected by these CVEs?

All software/system contain log4j or log4j2.


Is Wind River Linux affected by these CVE issues?



CVE-2021-44228
CVE-2021-45046
CVE-2021-45105
CVE-2021-4104
CVE-2022-23302
CVE-2022-23305
CVE-2022-23307
WRL-6
No
No
No
No*
No*No*No*
WRL-7
No
No
NoNo*
No*No*No*
WRL-8
No
No
NoNo*
No*No*No*
WRL 9
NoNoNoNoNoNoNoNo
LTS17
NoNoNoNoNoNoNo
LTS18
NoNoNoNoNoNoNo
LTS19
NoNoNoNoNoNoNo
LTS21No
NoNoNoNoNoNo


* The Wind River Linux Product Versions 8.0 and prior contains the log4j1.2 and JMSAppender components, however, JMSAppender is deactivated in the release package and not affected by CVE-2021-4104 customers are advised to NOT manually activate the JMSAppender component.


Necessary conditions that CVE-2021-4014 can be used to attack WRLinux:

  1. WRlinux-8 and lower version;
  2. The runtime system contains package log4j;
  3. Package log4j been manually specified to use JMSAppender (It is not the default one);
  4. The attacker has write access to the log4j configuration.

Just like CVE-2021-4014, by default, CVE-2022-23302/05/07 are harmless for related component are not default configuration.

https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2021-44228

https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2021-45046

https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2021-45105

https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2021-4104


Affected software components:

log4j2 and log4j

Affected hardware:

This is a pure software issue.

Mitigation

For CVE-2021-44228 and CVE-2021-45046, no mitigation needed for we have no log4j2

CVE-2021-4104 We Recommend our customers do not manually activate JMSAppender component. Please contact Long Term Security Shield support for upgrade options.

https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2021-4104


Additional References

https://logging.apache.org/log4j/2.x/
https://bugzilla.redhat.com/show_bug.cgi?id=2031667

https://bugzilla.redhat.com/show_bug.cgi?id=2031679

https://seclists.org/oss-sec/2021/q4/154

https://www.openwall.com/lists/oss-security/2021/12/13/1

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

https://logging.apache.org/log4j/2.x/security.html

https://www.openwall.com/lists/oss-security/2022/01/18/3

https://www.openwall.com/lists/oss-security/2022/01/18/4

https://www.openwall.com/lists/oss-security/2022/01/18/5


Changelog

  • 01/20/2022 Add CVE-2022-23302, CVE-2022-23305 and CVE-2022-23307 on log4j
  • 12/20/2021 Add CVE-2021-45105 on log4j2
  • 12/17/2021Update guidance for CVE-2021-4104
  • 12/15/2021: Add CVE-2021-45046 on log4j2
  • 12/14/2021: Add CVE-2021-4104 on log4j
  • 12/13/2021: Initial

Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube