CVE-2021-42550

CVSS v2.0

8.5

High

Vector

AV:N/AC:M/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions logback versions 1.2.7 and prior

Description The issue is related to the deserialization mechanism in the logback library, which can be exploited by an attacker with the required privileges to edit configuration files. This could allow the execution of arbitrary code loaded from LDAP servers. An attacker could craft a malicious configuration to achieve this.

Recommendations For logback versions 1.2.7 and prior, upgrade to version 1.2.8 and disable all the lookup code as a recommended fix. As a temporary workaround, consider restricting access to configuration files to prevent malicious edits. Additionally, disabling the use of LDAP servers for code loading can help minimize the risk of exploitation until the issue is fully resolved.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2022-00725

CVE-2021-42550

GHSA-668Q-QRV7-99FM

OESA-2021-1476

OESA-2022-1946

OPENSUSE-SU-2024:12026-1

OPENSUSE-SU-2024:12224-1

RHSA-2022:5498

RLSA-2022:5498

SUSE-SU-2023:2097-1

SUSE-SU-2023_2097-1

USN-7616-1

Affected Products

Astra Linux

Debian

Linuxmint

Rocky Linux

Suse

Ubuntu

Logback

CVE-2021-42550

Weakness Enumeration

Related Identifiers

Affected Products

References · 515