CVE Vulnerability

CVE-2021-4125

It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.

8.1 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=2033121 Issue Tracking Patch
https://access.redhat.com/security/cve/CVE-2021-44228 Third Party Advisory
https://github.com/kube-reporting/hive/pull/71 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2021-4125 Third Party Advisory
https://github.com/kube-reporting/hive/pull/73 Third Party Advisory
https://github.com/kube-reporting/hive/pull/72 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2021-45046 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:redhat:openshift:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:*
Information

Published : 2022-08-24 04:15

Updated : 2022-08-29 02:26

NVD link : CVE-2021-4125

Mitre link : CVE-2021-4125

Products Affected

Openshift

Redhat

CWE
CWE-502

Deserialization of Untrusted Data