Skip to content

Security vulnerability: log4j remote code execution aka log4shell CVE-2021-44228

This document (000020526) is provided subject to the disclaimer at the end of this document.

Environment

All products

Situation

A 0-day exploit in the log4j Java logging framework was found by Chen Zhaojun of Alibaba Cloud Security Team, which allowed remote attackers able to inject strings into log4j based Java logging to execute code by

exploiting the default enabled JNDI bindings. This is possible without any preconditions, making it critical.

Resolution

SUSE considers log4j versions 2.0 and newer as affected, log4j 1.2.x does not have the same critical vulnerability and is not considered affected by this CVE.

SUSE Linux Enterprise products do not ship log4j 2.x.

SUSE Manager does not ship log4j 2.x.

SUSE Enterprise Storage does not ship log4j 2.x.

SUSE Openstack Cloud embeds log4j2 in the "storm" component, which will receive updates.

SUSE NeuVector product does not ship log4j 2.x.

SUSE Rancher is not affected by this vulnerability. The Helm chart for Istio 1.5, provided by Rancher and which is currently deprecated, includes Zipkin and is vulnerable to Log4j. Customers are advised to upgrade to the recent Istio version provided in Cluster Explorer, which does not uses Zipkin and is not affect to the vulnerability.

Please refer to the upstream guidance from log4j on fixing and mitigation measures if you deploy your Java Application stacks.

Status

Security Alert

Additional Information

Additional information can be found here:

Note in regards to SUSE Manager Server:

The CVE-search will use meta-data within a patch to display the needed information. As there is no patch needed (as SUSE is not effected), the CVE-search for CVE-2021-44228 will return a "not found".

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.