SUSE Statement on log4j / log4shell / CVE-2021-44228 / Vulnerability

On Friday December 10 morning a new exploit in “log4j” Java logging framework was reported, that can be trivially exploited. This vulnerability is caused by a new feature introduced in log4j 2.x versions where a specific string embedded in messages logged by log4j would be interpreted by log4j to connect to remote sites and even execute code directly.

The vulnerability, also called “log4shell”:

• Does not impact SUSE Linux Enterprise products directly as these are still shipping only an older version of log4j that is not affected by this bug.
• SUSE Rancher is not affected by this vulnerability. The Helm chart for Istio 1.5, provided by Rancher and which is currently deprecated, includes Zipkin and is vulnerable to Log4j. Customers are advised to upgrade to the recent Istio version provided in Cluster Explorer, which does not uses Zipkin and is not affect to the vulnerability.
• The vulnerability does not affect SUSE Manager, as it is still using at most log4j 1.2.x, which is not affected.
• One component of SUSE OpenStack Cloud (“storm”) embeds log4j 2.x, which will receive updates.

The recently acquired NeuVector product is not affected by this vulnerability, but in its security scanner functionality has now added support for scanning your containers, see the NeuVector log4j2 page.

Update: A much less severe similar vulnerability was discovered in older log4j 1.2.x versions via the JMS interface. This JMS functionality is not default enabled, administrators must have enabled it. SUSE has also published updates for log4j 1.2 versions disabling the JMS functionality completely.

For the log4j 1.2.x packages, SUSE is committed to continue fixing security issues in these packages, even though upstream has declared them End-of-Life. In parallel SUSE plans to ship log4j 2.x versions where possible so customers can migrate to the newer log4j major release.

References:

• SUSE CVE page for CVE-2021-44228
• SUSE CVE Page for CVE-2021-45046
• SUSE CVE Page for CVE-2021-4104 (log4j 1.2)
• log4j security advisory
• SUSE TID 000020526
• NeuVector page on log4j2 scanning addition
• US CISA guidance on log4j
• BSI notification about log4j (PDF)

If you have any questions or concerns, please reach out to your SUSE contact. Security and reliability continue to be top priorities for SUSE because they are top priorities for our customers and partners. And as always, customers and partners come first.