CVE-2021-4125: Deserialization of Untrusted Data
(updated )
It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6.
References
- access.redhat.com/security/cve/CVE-2021-4125
- access.redhat.com/security/cve/CVE-2021-44228
- access.redhat.com/security/cve/CVE-2021-45046
- bugzilla.redhat.com/show_bug.cgi?id=2033121
- github.com/kube-reporting/hive/pull/71
- github.com/kube-reporting/hive/pull/72
- github.com/kube-reporting/hive/pull/73
- nvd.nist.gov/vuln/detail/CVE-2021-4125
Detect and mitigate CVE-2021-4125 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →