Security vulnerabilities in Apache Log4j2 for some Intel® products may allow escalation of privilege or denial of service. Intel is releasing product updates to mitigate these vulnerabilities.
CVEID: CVE-2021-44228 (Non-Intel issued)
Description: JNDI features in Apache Log4j2 may allow an authenticated user to potentially enable escalation of privilege via network access.
CVSS Base Score: 10.0 Critical
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2021-45046 (Non-Intel issued)
Description: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations
CVSS Base Score: 9.0 Critical
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Intel’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x as quickly as possible, moving to the latest version available when developing mitigations.
The Intel product portfolio is under investigation to determine if the products are affected by CVE-2021-44228 and CVE-2021-45046 which are mitigated by Apache Log4j version 2.16, or higher. The vulnerabilities in Apache Log4j identified by CVE-2021-44228 and CVE-2021-45046 involve Java-based logging software. As such, Intel hardware products and graphic driver products are not affected.
While Intel has completed our initial scanning efforts, with so much active industry research on Log4j, mitigation and remediation, recommendations will continue to evolve. We are actively assessing the latest Log4j developments and will share updates accordingly. Please continue to check this advisory for updates.