Cloud Foundry Foundation
A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed . Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser and may allow for remote code execution in impacted cloud foundry products.
This is an ongoing event, please check this advisory for frequent updates as they develop. The advisory has been updated to cover for CVE-2021-45105 too which was later identified in log4j versions below 2.17.0 .
Affected Cloud Foundry Products and Versions
Severity is critical unless otherwise noted.
- PHP buildpack
- Java buildpack
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases( for both the above CVEs):
- UAA-Upgrade all versions to 75.13.0 or greater
- Credhub – Upgrade all versions to 2.11.0 or greater
- Cf-for-k8s – Upgrade all versions to v5.4.2 or greater
- Cf-deployment – Upgrade all versions to 17.1.0 or greater
- PHP- buildpack – Upgrade all versions to 4.4.54 or greater
- Java buildpack – Upgrade all versions to 4.47 or greater
2021-12-13: Initial vulnerability report published.
2021-12-14: Updated with patch details of Cf-for-k8s
2021-12-15: Updated credhub, UAA and Php buildpack versions with latest log4j 2.16 versions
2021-12-18: Updated cf-for-k8s, cf-deployment, Java buildpack versions with latest log4j 2.16 versions
2022-01-06: Updated UAA, Java buildpack, PHP- buildpack, Cf-for-k8s versions for fixes of CVE-2021-45105.