Opencast uses an Apache Log4j2 version which, combined with older JDK versions, can be used for remote code execution attacks which have been found to be actively exploited.

Apache Log4j2 <=2.14.1 JNDI features is not sufficiently protected. An attacker who can control log messages or log message parameters can execute arbitrary code when message lookup substitution is enabled.

Who is affected

Opencast before 9.10 or 10.6 are affected
- Log4j version: all 2.x versions before 2.15.0 are affected

Patches

The issue has been fixed in Opencast 9.10 and 10.6.

Workarounds

The vulnerability can be mitigated by setting system property log4j2.formatMsgNoLookups to true.

References

Opencast pull request mitigating the vulnerability
CVE-2021-44228 Detail
Analysis and Remediation Guidance to the Log4j Zero-Day RCE (CVE-2021-44228) Vulnerability
VE-2021-44228 – Log4j 2 Vulnerability Analysis

For more information

If you have any questions or comments about this advisory:

Open an issue in our issue tracker
Email us at [email protected]

Note about dependencies

This issue affects many Java applications. Please also verify these are not vulnerable.

CPENameOperatorVersion
org.opencastproject:opencast-commonlt10.6
org.opencastproject:opencast-commonlt9.10

CPE	Name	Operator	Version
	org.opencastproject:opencast-common	lt	10.6
	org.opencastproject:opencast-common	lt	9.10

References

docs.opencast.org/r/10.x/admin/#changelog/#opencast-106

docs.opencast.org/r/9.x/admin/#changelog/#opencast-910

github.com/advisories/GHSA-mf4f-j588-5xm8

github.com/opencast/opencast/pull/3253

github.com/opencast/opencast/security/advisories/GHSA-mf4f-j588-5xm8

nvd.nist.gov/vuln/detail/CVE-2021-44228

githubexploit 45

ibm 54

threatpost 46

nessus 10

hackerone 3

cisa 1

rapid7blog 6

impervablog 2

amd 1

kaspersky 2

mssecure 1

msrc 2

trellix 2

hivepro 2

talosblog 1

trendmicroblog 1

packetstorm 4

qualysblog 1

wallarmlab 2

akamaiblog 1

openvas 2

veracode 1

osv 1

cisa_kev 1

fedora 1

redhat 3

cve 1

mmpc 1

suse 1

thn 1

githubexploit

Exploit for Expression Language Injection in Apache Log4J

2021-12-14 14:51:26

Exploit for Deserialization of Untrusted Data in Apache Log4J

2021-12-13 11:29:57

Exploit for Improper Input Validation in Apache Log4J

2021-12-17 08:48:59

ibm

Security Bulletin: IBM Netcool Agile Service Manager is affected by a vulnerability in Apache Log4j (CVE-2021-44228)

2021-12-23 18:45:10

Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling Control Center (CVE-2021-44228)

2021-12-17 18:27:06

Security Bulletin: IBM Cloud Pak for Applications is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)

2021-12-22 06:59:57

threatpost

Free HermeticRansom Ransomware Decryptor Released

2022-03-04 16:56:27

Cyberattackers Target UPS Back-Up Power Devices in Mission-Critical Environments

2022-03-30 17:14:57

DarkHotel APT Targets Wynn, Macao Hotels to Rip Off Guest Data

2022-03-18 18:53:40

nessus

Ubuntu 16.04 ESM : Apache Log4j 2 vulnerability (USN-5192-2)

2021-12-17 00:00:00

FreeBSD : OpenSearch -- Log4Shell (4b1ac5a3-5bd4-11ec-8602-589cfc007716)

2021-12-13 00:00:00

FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)

2021-12-13 00:00:00

hackerone

U.S. Dept Of Defense: ██████████ running a vulnerable log4j

2021-12-11 00:16:38

U.S. Dept Of Defense: ███ ████████ running a vulnerable log4j

2021-12-31 00:55:49

U.S. Dept Of Defense: Log4Shell: RCE 0-day exploit on █████████

2021-12-16 18:32:13

cisa

Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems

2022-06-23 00:00:00

rapid7blog

What's New in InsightVM and Nexpose: Q1 2022 in Review

2022-04-19 17:52:17

[Security Nation] Mike Hanley of GitHub on the Log4j Vulnerability

2022-01-19 21:47:30

3 Reasons to Join Rapid7’s Cloud Security Summit

2022-03-09 17:06:13

impervablog

Analytics Are Essential for Effective Database Security

2022-01-13 15:23:02

Continuing to Stay Ahead of CVE-2021-44228: Addressing Your Top Questions

2021-12-14 22:55:49

amd

AMD Response to Log4j (Log4Shell) Vulnerability

2021-12-15 00:00:00

kaspersky

KLA12395 RCE vulnerability in Microsoft SQL Server

2021-12-16 00:00:00

KLA12392 RCE vulnerability in Microsoft Azure

2021-12-16 00:00:00

mssecure

MERCURY and DEV-1084: Destructive attack on hybrid environment

2023-04-07 16:00:00

msrc

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

2021-12-12 05:28:18

CVE-2021-44228 Apache Log4j 2 に対するマイクロソフトの対応

2021-12-12 08:00:00

trellix

Log4J and The Memory That Knew Too Much

2022-01-19 00:00:00

Log4J and The Memory That Knew Too Much

2022-01-19 00:00:00

hivepro

Iranian hackers leveraged Log4Shell to penetrate US federal agency

2022-11-17 12:28:57

Monti ransomware infiltrates networks via the well-known Log4Shell

2022-09-16 10:51:13

talosblog

How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity

2024-02-21 13:54:48

trendmicroblog

Patch Now: Apache Log4j Vulnerability Called Log4Shell Actively Exploited

2021-12-13 00:00:00

packetstorm

Log4Shell HTTP Header Injection

2022-01-12 00:00:00

MobileIron Log4Shell Remote Command Execution

2022-08-03 00:00:00

Intel Data Center Manager 5.1 Local Privilege Escalation

2022-12-09 00:00:00

qualysblog

Log4Shell – Follow This Multi-Layered Approach for Detection and Remediation

2021-12-28 18:00:00

wallarmlab

Update on Log4Shell (CVE-2021-44228)

2021-12-10 20:22:36

Log4j 0day mitigation update CVE-2021-44228

2021-12-10 20:56:40

akamaiblog

Threat Intelligence on Log4j CVE: Key Findings and Their Implications

2021-12-17 19:30:00

openvas

Debian: Security Advisory (DLA-2842-1)

2021-12-13 00:00:00

openSUSE: Security Advisory for logback (openSUSE-SU-2021:1613-1)

2022-02-01 00:00:00

veracode

Remote Code Execution (RCE)

2021-12-10 15:09:45

osv

Critical vulnerability in log4j may affect generated PEAR projects

2021-12-16 21:01:51

cisa_kev

Apache Log4j2 Remote Code Execution Vulnerability

2021-12-10 00:00:00

fedora

[SECURITY] Fedora 34 Update: log4j-2.16.0-1.fc34

2021-12-22 01:14:26

redhat

(RHSA-2021:5130) Critical: Red Hat Integration Camel-K 1.6.2 release and security update

2021-12-14 17:51:25

(RHSA-2021:5126) Critical: Red Hat Integration Camel Extensions for Quarkus GA security update

2021-12-14 16:15:45

(RHSA-2021:5093) Critical: Red Hat build of Eclipse Vert.x 4.1.5 SP1 security update

2021-12-14 15:57:34

cve

CVE-2021-44228

2021-12-10 10:15:00

mmpc

Build a stronger cybersecurity team through diversity and training

2022-01-20 17:00:00

suse

Security update for log4j (important)

2021-12-12 00:00:00

thn

Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations

2022-08-27 03:23:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

JSON

Related for GHSA-MF4F-J588-5XM8