{"id":"MGASA-2021-0566","summary":"Updated log4j packages fix security vulnerability","details":"It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0\nwas incomplete in certain non-default configurations. This could allows\nattackers with control over Thread Context Map (MDC) input data when the\nlogging configuration uses a non-default Pattern Layout with either a\nContext Lookup (for example, $${ctx:loginId}) or a Thread Context Map\npattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI\nLookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0\nmakes a best-effort attempt to restrict JNDI LDAP lookups to localhost by\ndefault. Log4j 2.16.0 fixes this issue by removing support for message\nlookup patterns and disabling JNDI functionality by default\n(CVE-2021-45046).\n","modified":"2026-04-16T00:12:04.141829355Z","published":"2021-12-19T12:26:08Z","upstream":["CVE-2021-45046"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0566.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29766"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2021/12/14/4"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-7rjr-3q55-vv33"}],"affected":[{"package":{"name":"log4j","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/log4j?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.16.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0566.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}