SUSE Manager log4j and CVE-2021-44228

This document (000020647) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Manager 4.2
SUSE Manager 4.1
 

Situation

Security scans are recommending an update to the log4j version that is being used in SUSE Manager.

Resolution

You have two options to resolve the issue: 

1 - Take no action

Security teams can be reassured that the log4j version that SUSE Manager 4.1 and 4.2 currently use, isn't affected by CVE-2021-44228 (see Additional Information below).

2 - Update to reload4j

The log4j version that SUSE Manager uses isn't affected by the vulnerability, but security scans may still recommend updating (see cause below). To satisfy security scanners, you can upgrade to the reload4j package.

Updating the package from "log4j12" to "reload4j":
# zypper in reload4j

After that, restart the SUSE Manager services:
# spacewalk-service restart

Cause

Security scanners usually check the installed package versions against known issues.

For stability reasons, SUSE often stays on a specific package version, and backports security fixes as needed. That means that a SUSE package may show a lower version than an upstream package version, but still include a fix. In other cases, such as this case, the package version provided by SUSE does not include the code that led to the vulnerability in the first place. 

Additional Information

To check how a vulnerability is affecting SUSE products and packages, admins can check the SUSE CVE database, which is maintained by our security team: 
https://www.suse.com/security/cve/

For more details about this specific CVE, visit this link:
https://www.suse.com/security/cve/CVE-2021-44228.html

For more details about security scanners and SUSE, visit this link:
https://www.suse.com/c/security-vulnerability-scanners-enterprise-linux/

This particular situation will likely only be temporary, as future SUSE Manager versions will change log4j package requirements. If there are any questions or concerns, please open a case with SUSE support.
 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020647
  • Creation Date: 28-Apr-2022
  • Modified Date:04-May-2022
    • SUSE Manager

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center