diff --git a/content/issues/2021-12-13-log4j.md b/content/issues/2021-12-13-log4j.md index 0f355100..7ce15b6a 100644 --- a/content/issues/2021-12-13-log4j.md +++ b/content/issues/2021-12-13-log4j.md @@ -17,23 +17,26 @@ affected: section: issue --- -A [vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) has been discovered in log4j which can lead to denial of service and remote code execution. The following Linuxserver containers have been confirmed not to be affected by this vulnerability due to existing mitigations, upstream patches, or workarounds applied to the container images. +Multiple vulnerabilities ([CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) and [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046)) have been discovered in log4j which can lead to denial of service and remote code execution. The following Linuxserver containers have been confirmed not to be affected by CVE-2021-44228 *or* CVE-2021-45046 due to existing mitigations, upstream patches, or workarounds applied to the container images. -**Please note this applies to the latest versions of the below images *only*. If you are running older versions they may still be vulnerable.** +**Please note these lists apply to the stated version tags and later *only*. If you are running older versions of the images they may still be vulnerable.** -* [Unifi Controller](https://github.com/linuxserver/docker-unifi-controller) (Workaround applied + upstream fix) -* [Booksonic Air](https://github.com/linuxserver/docker-booksonic-air/) (Upstream fix) -* [Fleet](https://github.com/linuxserver/docker-fleet) (Workaround applied + upstream fix) +* [Fleet](https://github.com/linuxserver/docker-fleet) - `version-2.3.2` and later (Workaround applied + upstream fix) * [Airsonic](https://github.com/linuxserver/docker-airsonic) (No log4j-core in use) * [HABridge](https://github.com/linuxserver/docker-habridge) (No log4j-core in use) -* [nzbhydra2](https://github.com/linuxserver/docker-nzbhydra2) (Upstream fix) -The following Linuxserver containers are known to be using a vulnerable version of log4j (again this applies to the latest version only). This does not mean they are definitely exploitable, but they may be, especially if exposed to the internet: +The following Linuxserver containers have been confirmed not to be affected by CVE-2021-44228 due to existing mitigations, upstream patches, or workarounds applied to the container images, but may still be vulnerable to CVE-2021-45046. + +* [Unifi Controller](https://github.com/linuxserver/docker-unifi-controller) - `version-6.5.54` and later (Workaround applied + upstream fix) +* [Booksonic Air](https://github.com/linuxserver/docker-booksonic-air/) - `version-v2112.1.0` and later (Upstream fix) +* [nzbhydra2](https://github.com/linuxserver/docker-nzbhydra2) - `version-v3.18.4` and later (Upstream fix) + +The following Linuxserver containers are known to be using a vulnerable version of log4j in their current versions and cannot be mitigated by us. This does not mean they are definitely exploitable, but they may be, especially if exposed to the internet. * [Davos](https://github.com/linuxserver/docker-davos) * [Booksonic](https://github.com/linuxserver/docker-booksonic) (Deprecated) -The following Linuxserver containers are unconfirmed as to their vulnerability status, but are Java based and so may be using log4j in some capacity: +The following Linuxserver containers are unconfirmed as to their vulnerability status, but are Java based and so may be using log4j in some capacity. * [Ubooquity](https://github.com/linuxserver/docker-ubooquity)