CVE-2021-4125

CWE-20 — Improper Input Validation CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

8.1HIGH

EPSS

2.4%

top 15.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Openshift Kube-reporting Hive

Timeline

PublishedAug 24

Latest updateAug 25

Description

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

▶NVDredhat/openshift4.6.0 — 4.6.52+2

▶CVEListV5kube-reporting/hiveFixed in v4.8, v4.7 and v4.6

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-jr7q-cc2x-97vj: It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all Jn↗2022-08-25

▶

CVEList

CVE-2021-4125: It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all Jn↗2022-08-24

▶

📋Vendor Advisories

Red Hat

kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046↗2021-12-16

▶