Log

AVG-2626 edited at 14 Dec 2021 19:49:34
Issues
CVE-2021-44228
+ CVE-2021-45046
CVE-2021-44228 edited at 14 Dec 2021 19:48:32
References
- https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0
+ https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
CVE-2021-45046 edited at 14 Dec 2021 19:48:14
Description
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability.
-
Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
CVE-2021-45046 created at 14 Dec 2021 19:48:06
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability.
+
+
+ Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
+
+ This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
References
+ https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046
Notes
AVG-2641 edited at 14 Dec 2021 19:44:32
Status
- Vulnerable
+ Not affected
Advisory qualified
- Yes
+ No
AVG-2641 edited at 14 Dec 2021 19:44:26
Severity
- Unknown
+ Medium
CVE-2021-4044 edited at 14 Dec 2021 19:44:26
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ A security issue has been found in OpenSSL 3.0.0. Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.
+
+ This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains.
+
+ By combining the two issues an attacker could induce incorrect, application dependent behaviour.
+
+ OpenSSL 3.0.0 SSL/TLS clients are affected by this issue. Users of this version should upgrade to OpenSSL 3.0.1. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
References
+ https://mta.openssl.org/pipermail/openssl-announce/2021-December/000213.html
Notes
AVG-2641 created at 14 Dec 2021 19:41:27
Packages
+ openssl
Issues
+ CVE-2021-4044
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 1.1.1.l-1
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-4044 created at 14 Dec 2021 19:41:27
CVE-2021-4011 edited at 14 Dec 2021 19:39:57
Description
- A security issue has been found in X.Org before version 21.1.2. The handlers for the RecordCreateContext and RecordRegisterClients requests of the Record extension do not properly validate the request length leading to an out of bounds memory write. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for SSH X forwarding sessions.
+ A security issue has been found in X.Org before version 21.1.2 and Xwayland before version 21.1.4. The handlers for the RecordCreateContext and RecordRegisterClients requests of the Record extension do not properly validate the request length leading to an out of bounds memory write. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for SSH X forwarding sessions.
References
https://lists.x.org/archives/xorg-announce/2021-December/003122.html
+ https://lists.x.org/archives/xorg-announce/2021-December/003123.html
https://gitlab.freedesktop.org/xorg/xserver/-/commit/e56f61c79fc3cee26d83cda0f84ae56d5979f768
CVE-2021-4010 edited at 14 Dec 2021 19:39:43
Description
- A security issue has been found in X.Org before version 21.1.2. The handler for the Suspend request of the Screen Saver extension does not properly validate the request length leading to an out of bounds memory write. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for SSH X forwarding sessions.
+ A security issue has been found in X.Org before version 21.1.2 and Xwayland before version 21.1.4. The handler for the Suspend request of the Screen Saver extension does not properly validate the request length leading to an out of bounds memory write. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for SSH X forwarding sessions.
References
https://lists.x.org/archives/xorg-announce/2021-December/003122.html
+ https://lists.x.org/archives/xorg-announce/2021-December/003123.html
https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c4c53010772e3cb4cb8acd54950c8eec9c00d21
CVE-2021-4009 edited at 14 Dec 2021 19:39:29
Description
- A security issue has been found in X.Org before version 21.1.2. The handler for the CreatePointerBarrier request of the XFixes extension does not properly validate the request length leading to out of bounds memory write. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for SSH X forwarding sessions.
+ A security issue has been found in X.Org before version 21.1.2 and Xwayland before version 21.1.4. The handler for the CreatePointerBarrier request of the XFixes extension does not properly validate the request length leading to out of bounds memory write. This can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for SSH X forwarding sessions.
References
https://lists.x.org/archives/xorg-announce/2021-December/003122.html
+ https://lists.x.org/archives/xorg-announce/2021-December/003123.html
https://gitlab.freedesktop.org/xorg/xserver/-/commit/b5196750099ae6ae582e1f46bd0a6dad29550e02