First published: Thu Jan 20 2022(Updated: )
The releases of Red Hat Fuse 7.8.2, 7.9.1 and 7.10.1 serve as a patch to Red Hat Fuse on Karaf and Red Hat Fuse on Spring Boot and includes security fixes, which are documented in the Release Notes document linked to in the References.<br>Security Fix(es):<br><li> log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)</li> <li> log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)</li> <li> log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)</li> <li> log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Software | Affected Version | How to fix |
---|---|---|
Fuse | >=7.8.2<=7.10.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of RHSA-2022:0203 is classified as critical due to the impact of the log4j-core vulnerability.
To fix RHSA-2022:0203, update your Red Hat Fuse installations to versions 7.8.2, 7.9.1, or 7.10.1.
RHSA-2022:0203 affects Red Hat Fuse on Karaf and Red Hat Fuse on Spring Boot.
RHSA-2022:0203 was released on February 23, 2022.
RHSA-2022:0203 addresses vulnerabilities related to log4j-core that could allow remote code execution.