发布时间: 2022年9月23日
修改时间: 2022年9月23日
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
| NVD | openEuler | |
|---|---|---|
| Confidentiality | High | None |
| Attack Vector | Network | Network |
| CVSS评分 | 9.0 | 3.7 |
| Attack Complexity | High | High |
| Privileges Required | None | None |
| Scope | Changed | Unchanged |
| Integrity | High | None |
| User Interaction | None | None |
| Availability | High | Low |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2022-2119 | log4j security update | 2022年9月23日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-4A | log4j | Fixed |
| KY3.4-5A | log4j | Fixed |
