Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#72975 - 0-Day RCE in log4j, present in at least one package

Attached to Project: Community Packages
Opened by Chris Snell (chrissnell) - Saturday, 11 December 2021, 03:02 GMT
Last edited by Massimiliano Torromeo (mtorromeo) - Sunday, 12 December 2021, 16:47 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Levente Polyak (anthraxx)
NicoHood (NicoHood)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 10%
Votes 0
Private No

Details

0-day with RCE being actively exploited. CVE-2021-44228 affects outdated log4j libraries, including the elasticsearch package. Presumable other packages are affected.

https://www.lunasec.io/docs/blog/log4j-zero-day/
This task depends upon

Comment by loqs (loqs) - Saturday, 11 December 2021, 20:14 GMT Comment by Justin Kromlinger (hashworks) - Sunday, 12 December 2021, 13:33 GMT
Regarding elasticsearch: I've implemented the linked patch in 7.10.2-2. It replaces `/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar` with `elasticsearch-log4j-7.10.2.jar`, which doesn't include the `JndiLookup.class`:
```
old/org/apache/logging/log4j/core/util/JndiCloser.class
old/org/apache/logging/log4j/core/selector/JndiContextSelector.class
old/org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class
old/org/apache/logging/log4j/core/net/JndiManager$1.class
old/org/apache/logging/log4j/core/net/JndiManager.class
old/org/apache/logging/log4j/core/lookup/JndiLookup.class <-----
new/org/apache/logging/log4j/core/util/JndiCloser.class
new/org/apache/logging/log4j/core/selector/JndiContextSelector.class
new/org/apache/logging/log4j/core/net/JndiManager.class
new/org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class
new/org/apache/logging/log4j/core/net/JndiManager$1.class
```
Comment by freswa (frederik) - Sunday, 12 December 2021, 14:09 GMT
ghidra is fixed with 10.1 in [community]
Comment by David Runge (dvzrv) - Sunday, 12 December 2021, 14:51 GMT
solr is fixed with 8.11.0-2 in [community]
Comment by Massimiliano Torromeo (mtorromeo) - Sunday, 12 December 2021, 16:47 GMT
logstash patched in 7.10.2-1
Comment by Massimiliano Torromeo (mtorromeo) - Sunday, 12 December 2021, 16:52 GMT
openfire updated to 4.6.5 which already uses log4j 2.15.0
Comment by Freedom Dev (FreedomDev) - Monday, 16 May 2022, 19:37 GMT
scanner: https://github.com/logpresso/CVE-2021-44228-Scanner
args:[--scan-log4j1 --scan-logback --scan-zip /]


netbeans 13-1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /usr/lib/netbeans/ide/modules/ext/log4j-1.2.15.jar, log4j 1.2.15
(https://blogs.apache.org/netbeans/entry/log4j-and-apache-netbeans)

jmol 14.32.55-1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /usr/share/jmol/JmolData.jar, log4j 1.2.14
jmol 14.32.55-1 [?] Found CVE-2021-4104 (log4j 1.2) vulnerability in /usr/share/jmol/Jmol.jar, log4j 1.2.14
(https://bugs.archlinux.org/task/74845)->(https://sourceforge.net/p/jmol/code/22275/)-OK

zaproxy 2.11.1-1 [*] Found CVE-2021-45046 (log4j 2.x) vulnerability in /usr/share/zaproxy/lib/log4j-core-2.15.0.jar, log4j 2.15.0
>fixed<
Comment by Leonidas Spyropoulos (inglor) - Wednesday, 18 May 2022, 23:52 GMT
zaproxy patched in 2.11.1-2 [community]
Comment by loqs (loqs) - Tuesday, 24 May 2022, 19:30 GMT
netbeans upstream does not believe it is/was vulnerable https://blogs.apache.org/netbeans/entry/log4j-and-apache-netbeans

Loading...