DSA-5022-1 apache-log4j2 -- liblog4j2-javaID: oval:org.secpod.oval:def:76487 | Date: (C)2021-12-16 (M)2023-12-14 |
Class: PATCH | Family: unix |
It was found that the fix to address CVE-2021-44228 in Apache Log4j, a Logging Framework for Java, was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup or a Thread Context Map pattern to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service attack.