| Description: | Summary:
The remote host is missing an update for the Debian 'apache-log4j2' package(s) announced via the DLA-2852-1 advisory.
Vulnerability Insight:
Several security vulnerabilities were found in Apache Log4j2, a Logging Framework for Java, which could lead to a denial of service or information disclosure.
CVE-2020-9488
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
CVE-2021-45105
Apache Log4j2 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.
For Debian 9 stretch, these problems have been fixed in version 2.12.3-0+deb9u1.
We recommend that you upgrade your apache-log4j2 packages.
For the detailed security status of apache-log4j2 please refer to its security tracker page at: [link moved to references]
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]
Affected Software/OS:
'apache-log4j2' package(s) on Debian 9.
Solution:
Please install the updated package(s).
CVSS Score:
4.3
CVSS Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
|
