SUSE Manager log4j and CVE-2021-44228
This document (000020647) is provided subject to the disclaimer at the end of this document.
SUSE Manager 4.1
1 - Take no action
Security teams can be reassured that the log4j version that SUSE Manager 4.1 and 4.2 currently use, isn't affected by CVE-2021-44228 (see Additional Information below).
2 - Update to reload4j
The log4j version that SUSE Manager uses isn't affected by the vulnerability, but security scans may still recommend updating (see cause below). To satisfy security scanners, you can upgrade to the reload4j package.
Updating the package from "log4j12" to "reload4j":
# zypper in reload4j
After that, restart the SUSE Manager services:
# spacewalk-service restart
For stability reasons, SUSE often stays on a specific package version, and backports security fixes as needed. That means that a SUSE package may show a lower version than an upstream package version, but still include a fix. In other cases, such as this case, the package version provided by SUSE does not include the code that led to the vulnerability in the first place.
To check how a vulnerability is affecting SUSE products and packages, admins can check the SUSE CVE database, which is maintained by our security team:
For more details about this specific CVE, visit this link:
For more details about security scanners and SUSE, visit this link:
This particular situation will likely only be temporary, as future SUSE Manager versions will change log4j package requirements. If there are any questions or concerns, please open a case with SUSE support.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020647
- Creation Date: 28-Apr-2022
- Modified Date:04-May-2022
- SUSE Manager
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com