high
8.5
CWE
502
Advisory Published
Updated

CVE-2021-42550: RCE from attacker with configuration edit priviledges through JNDI lookup

First published: Thu Dec 16 2021(Updated: )

A flaw was found in the logback package. When using a specially-crafted configuration, this issue could allow a remote authenticated attacker to execute arbitrary code loaded from LDAP servers.

Credit: vulnerability@ncsc.ch vulnerability@ncsc.ch

Affected SoftwareAffected VersionHow to fix
redhat/candlepin<0:4.1.13-1.el7
0:4.1.13-1.el7
redhat/candlepin<0:4.1.13-1.el8
0:4.1.13-1.el8
Qos Logback<=1.2.7
Qos Logback=1.3.0-alpha0
Qos Logback=1.3.0-alpha1
Qos Logback=1.3.0-alpha10
Qos Logback=1.3.0-alpha2
Qos Logback=1.3.0-alpha3
Qos Logback=1.3.0-alpha4
Qos Logback=1.3.0-alpha5
Qos Logback=1.3.0-alpha6
Qos Logback=1.3.0-alpha7
Qos Logback=1.3.0-alpha8
Qos Logback=1.3.0-alpha9
Redhat Satellite=6.0
NetApp Cloud Manager
NetApp Service Level Manager
NetApp Snap Creator Framework
Siemens SINEC NMS<1.0.3
redhat/logback-classic<1.2.9
1.2.9
<=1.2.7
=1.3.0-alpha0
=1.3.0-alpha1
=1.3.0-alpha10
=1.3.0-alpha2
=1.3.0-alpha3
=1.3.0-alpha4
=1.3.0-alpha5
=1.3.0-alpha6
=1.3.0-alpha7
=1.3.0-alpha8
=1.3.0-alpha9
=6.0
<1.0.3

Remedy

https://jira.qos.ch/browse/LOGBACK-1591

Remedy

upgrade to >=1.2.9 or >=1.3.0-alpha11

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2021-42550?

    CVE-2021-42550 is a vulnerability found in the logback package that allows an attacker to execute arbitrary code loaded from LDAP servers.

  • What is the severity of CVE-2021-42550?

    CVE-2021-42550 has a severity level of high.

  • Which versions of logback are affected by CVE-2021-42550?

    Logback versions 1.2.7 and prior are affected by CVE-2021-42550.

  • How can I fix CVE-2021-42550?

    To fix CVE-2021-42550, upgrade to logback version 1.2.9 or higher.

  • Where can I find more information about CVE-2021-42550?

    You can find more information about CVE-2021-42550 at the following references: [CVE-2021-42550](https://cve.report/CVE-2021-42550), [LOGBACK-1591](https://jira.qos.ch/browse/LOGBACK-1591), [RHSA-2022:1108](https://access.redhat.com/errata/RHSA-2022:1108).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203