Bug 1443635 (CVE-2017-5645)
| Summary: | CVE-2017-5645 log4j: Socket receiver deserialization vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | ahardin, aileenc, alazarot, apevec, apmukher, ataylor, avibelli, bkearney, bleanhar, bmaxwell, bmcclain, cbillett, ccoleman, cdewolf, chazlett, chrisw, csutherl, cvsbot-xmlrpc, dandread, darran.lofthouse, dbaker, dblechte, dedgar, devrim, dimitris, dmcphers, dosoudil, drieden, dwalluck, eedri, etirelli, fgavrilo, ggaughan, gmalinko, gsterlin, gvarsami, gzaronik, hhorak, huwang, janstey, java-maint, java-sig-commits, jawilson, jbalunas, jclere, jcoleman, jgoulding, jjoyce, jkeck, jochrist, jokerman, jolee, jondruse, jorton, jross, jschatte, jschluet, jshepherd, jstastny, jwon, kbasil, kconner, kverlaen, ldimaggi, lgao, lhh, lpeer, lpetrovi, lsurette, markmc, mbabacek, mbaluch, mchappel, meissner, mgoldboi, michal.skrivanek, mizdebsk, mwinkler, myarboro, nwallace, pgier, pjurak, ppalaga, psakar, pslavice, psotirop, puntogil, rbryant, Rhev-m-bugs, rnetuka, rrajasek, rstancel, rsvoboda, rwagner, rzhang, sclewis, spinder, srevivo, tcunning, tdecacqu, theute, thomas, tkirby, tlestach, tomckay, twalsh, vhalbert, vtunka, weli, ykaul, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | log4j 2.8.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:10:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1443637, 1457722, 1457756, 1457757, 1467261, 1467262, 1467885, 1467886, 1467894, 1469402, 1537683, 1537684 | ||
| Bug Blocks: | 1443639, 1446025, 1485997, 1493931, 1495452, 1497821, 1507638 | ||
|
Description
Andrej Nemec
2017-04-19 15:19:47 UTC
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 1443637] JBoss fuse ships log4j in, karaf/pax logging, cxf, fabric8, activemq and hawtio components. Both EAP 5 and JON3 don't have the affect Tcp and Udp SocketServer classes Created log4j12 tracking bugs for this issue: Affects: fedora-all [bug 1457722] This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:1417 https://access.redhat.com/errata/RHSA-2017:1417 This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801 This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.1 Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2423 https://access.redhat.com/errata/RHSA-2017:2423 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:2633 https://access.redhat.com/errata/RHSA-2017:2633 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:2636 https://access.redhat.com/errata/RHSA-2017:2636 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2017:2637 https://access.redhat.com/errata/RHSA-2017:2637 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:2635 https://access.redhat.com/errata/RHSA-2017:2635 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:2638 https://access.redhat.com/errata/RHSA-2017:2638 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0.8 Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811 This issue has been addressed in the following products: Red Hat JBoss BRMS Via RHSA-2017:2888 https://access.redhat.com/errata/RHSA-2017:2888 This issue has been addressed in the following products: Red Hat JBoss BPM Suite Via RHSA-2017:2889 https://access.redhat.com/errata/RHSA-2017:2889 This issue has been addressed in the following products: Red Hat JBoss Data Grid Via RHSA-2017:3244 https://access.redhat.com/errata/RHSA-2017:3244 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 5.2 security update Via RHSA-2017:3400 https://access.redhat.com/errata/RHSA-2017:3400 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Via RHSA-2017:3399 https://access.redhat.com/errata/RHSA-2017:3399 This was fixed for OCP 3.5, and 3.6 here: https://access.redhat.com/errata/RHBA-2017:2548 This issue has been addressed in the following products: Red Hat Fuse 7.3.1 Via RHSA-2019:1545 https://access.redhat.com/errata/RHSA-2019:1545 Statement: The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x It was found that vulnerable versions of log4j where shipped (embedded) within io.hawt:hawtio-osgi:war:*, however the embedded library is not used nor the vulnerable TCP/UDP server functionality. Due to this we've marked Fuse-7 and AMQ-7 as being affected (it is shipped and will) but having a low impact (it is not used). This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140 |