Debian DLA-2870-1 : apache-log4j2 - LTS security update

medium Nessus Plugin ID 156449

Synopsis

The remote Debian host is missing a security-related update.

Description

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2870 advisory.

 - Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
 (CVE-2021-44832)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the apache-log4j2 packages.

For Debian 9 stretch, this problem has been fixed in version 2.12.4-0+deb9u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002813

http://www.nessus.org/u?a7f9f2b8

https://www.debian.org/lts/security/2021/dla-2870

https://security-tracker.debian.org/tracker/CVE-2021-44832

https://packages.debian.org/source/stretch/apache-log4j2

Plugin Details

Severity: Medium

ID: 156449

File Name: debian_DLA-2870.nasl

Version: 1.2

Type: local

Agent: unix

Published: 1/1/2022

Updated: 1/1/2022

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information

CVSS Score Source: CVE-2021-44832

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 6.6

Temporal Score: 5.8

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:liblog4j2-java, p-cpe:/a:debian:debian_linux:liblog4j2-java-doc, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 12/29/2021

Vulnerability Publication Date: 12/10/2021

Reference Information

CVE: CVE-2021-44832

IAVA: 2021-A-0573