{"id":"MGASA-2021-0556","summary":"Updated log4j packages fix security vulnerability","details":"Apache Log4j2 \u003c=2.14.1 JNDI features used in configuration, log messages,\nand parameters do not protect against attacker controlled LDAP and other\nJNDI related endpoints. An attacker who can control log messages or log\nmessage parameters can execute arbitrary code loaded from LDAP servers\nwhen message lookup substitution is enabled. From log4j 2.15.0, this\nbehavior has been disabled by default. (CVE-2021-44228)\n","modified":"2026-02-04T02:56:12.367534Z","published":"2021-12-11T01:02:37Z","related":["CVE-2021-44228"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0556.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29753"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2021/12/10/1"}],"affected":[{"package":{"name":"log4j","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/log4j?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.13.3-1.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0556.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}