CVE-2021-42550
First published: Thu Dec 16 2021(Updated: )
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Credit: vulnerability@ncsc.ch
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/logback-classic | <1.2.9 | 1.2.9 |
| redhat/candlepin | <0:4.1.13-1.el7 | 0:4.1.13-1.el7 |
| redhat/candlepin | <0:4.1.13-1.el8 | 0:4.1.13-1.el8 |
| Qos Logback | <=1.2.7 | |
| Qos Logback | =1.3.0-alpha0 | |
| Qos Logback | =1.3.0-alpha1 | |
| Qos Logback | =1.3.0-alpha10 | |
| Qos Logback | =1.3.0-alpha2 | |
| Qos Logback | =1.3.0-alpha3 | |
| Qos Logback | =1.3.0-alpha4 | |
| Qos Logback | =1.3.0-alpha5 | |
| Qos Logback | =1.3.0-alpha6 | |
| Qos Logback | =1.3.0-alpha7 | |
| Qos Logback | =1.3.0-alpha8 | |
| Qos Logback | =1.3.0-alpha9 | |
| Redhat Satellite | =6.0 | |
| NetApp Cloud Manager | ||
| NetApp Service Level Manager | ||
| NetApp Snap Creator Framework | ||
| Siemens SINEC NMS | <1.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://logback.qos.ch/news.html
- http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
- http://seclists.org/fulldisclosure/2022/Jul/11
- https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf
- https://github.com/cn-panda/logbackRceDemo
- https://jira.qos.ch/browse/LOGBACK-1591
- https://security.netapp.com/advisory/ntap-20211229-0001/
- https://cve.report/CVE-2021-42550
- https://access.redhat.com/errata/RHSA-2022:1108
- https://access.redhat.com/errata/RHSA-2022:1110
- https://access.redhat.com/security/cve/cve-2021-42550
- https://access.redhat.com/errata/RHSA-2022:5498
- https://access.redhat.com/errata/RHSA-2022:5532
- https://bugzilla.redhat.com/show_bug.cgi?id=2033560
- https://www.cve.org/CVERecord?id=CVE-2021-42550 https://nvd.nist.gov/vuln/detail/CVE-2021-42550 http://logback.qos.ch/news.html https://cve.report/CVE-2021-42550 https://jira.qos.ch/browse/LOGBACK-1591
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-42550?
CVE-2021-42550 is a vulnerability found in the logback package that allows an attacker to execute arbitrary code loaded from LDAP servers.
What is the severity of CVE-2021-42550?
CVE-2021-42550 has a severity level of high.
Which versions of logback are affected by CVE-2021-42550?
Logback versions 1.2.7 and prior are affected by CVE-2021-42550.
How can I fix CVE-2021-42550?
To fix CVE-2021-42550, upgrade to logback version 1.2.9 or higher.
Where can I find more information about CVE-2021-42550?
You can find more information about CVE-2021-42550 at the following references: [CVE-2021-42550](https://cve.report/CVE-2021-42550), [LOGBACK-1591](https://jira.qos.ch/browse/LOGBACK-1591), [RHSA-2022:1108](https://access.redhat.com/errata/RHSA-2022:1108).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-42550
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/qos
- canonical/qos logback
- version/qos logback/1.2.7
- version/qos logback/1.3.0-alpha0
- version/qos logback/1.3.0-alpha1
- version/qos logback/1.3.0-alpha10
- version/qos logback/1.3.0-alpha2
- version/qos logback/1.3.0-alpha3
- version/qos logback/1.3.0-alpha4
- version/qos logback/1.3.0-alpha5
- version/qos logback/1.3.0-alpha6
- version/qos logback/1.3.0-alpha7
- version/qos logback/1.3.0-alpha8
- version/qos logback/1.3.0-alpha9
- vendor/redhat
- canonical/redhat satellite
- version/redhat satellite/6.0
- vendor/netapp
- canonical/netapp cloud manager
- canonical/netapp service level manager
- canonical/netapp snap creator framework
- vendor/siemens
- canonical/siemens sinec nms
- package-manager/redhat