Security vulnerability: log4j remote code execution aka log4shell CVE-2021-44228
This document (000020526) is provided subject to the disclaimer at the end of this document.
exploiting the default enabled JNDI bindings. This is possible without any preconditions, making it critical.
SUSE Linux Enterprise products do not ship log4j 2.x.
SUSE Manager does not ship log4j 2.x.
SUSE Enterprise Storage does not ship log4j 2.x.
SUSE Openstack Cloud embeds log4j2 in the "storm" component, which will receive updates.
SUSE NeuVector product does not ship log4j 2.x.
SUSE Rancher is not affected by this vulnerability. The Helm chart for Istio 1.5, provided by Rancher and which is currently deprecated, includes Zipkin and is vulnerable to Log4j. Customers are advised to upgrade to the recent Istio version provided in Cluster Explorer, which does not uses Zipkin and is not affect to the vulnerability.
Please refer to the upstream guidance from log4j on fixing and mitigation measures if you deploy your Java Application stacks.
The CVE-search will use meta-data within a patch to display the needed information. As there is no patch needed (as SUSE is not effected), the CVE-search for CVE-2021-44228 will return a "not found".
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020526
- Creation Date: 15-Dec-2021
- Modified Date:15-Dec-2021
- SUSE Enterprise Storage
- SUSE Linux Enterprise Server
- SUSE Open Stack Cloud
- SUSE Manager
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com