Bug 1785616 (CVE-2019-17571)

Summary: CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bdettelb, bgeorges, bkearney, bmaxwell, brian.stansberry, cbyrne, cdewolf, chazlett, cmacedo, darran.lofthouse, dbhole, dchong, decathorpe, devrim, dffrench, dkreling, dosoudil, drieden, drusso, dwalluck, etirelli, ggaughan, gvarsami, hhorak, ibek, iweiss, janstey, java-maint, java-sig-commits, jawilson, jbalunas, jcoleman, jmadigan, jochrist, jolee, jorton, jpallich, jperkins, jschatte, jschorr, jshepherd, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, loleary, lthon, mizdebsk, mnovotny, msochure, msvehla, mszynkie, ngough, nwallace, paradhya, pdrozd, pgallagh, pjindal, pmackay, psotirop, puntogil, pwright, rguimara, rrajasek, rruss, rsvoboda, rsynek, rtillery, rwagner, sdaley, smaestri, sochotni, spinder, stewardship-sig, sthorger, tcunning, theute, tkirby, tlestach, tomckay, tom.jenkinson, trepel, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: log4j 2.8.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1785617, 1785618, 1786012, 1786013, 1786014, 1792863    
Bug Blocks: 1785622    

Description msiddiqu 2019-12-20 13:12:29 UTC
Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely
execute arbitrary code when combined with a deserialization gadget
when listening to untrusted network traffic for log data.

References: 

https://logging.apache.org/log4j/1.2/
https://issues.apache.org/jira/browse/LOG4J2-1863
https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E

Comment 1 msiddiqu 2019-12-20 13:13:06 UTC
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 1785617]


Created log4j12 tracking bugs for this issue:

Affects: fedora-all [bug 1785618]

Comment 2 Jason Shepherd 2019-12-23 02:12:58 UTC
There is no SocketServer in nodejs-log4js, setting Quay to not affected.

Comment 3 Jason Shepherd 2019-12-23 02:20:28 UTC
There is no SocketServer in nodejs-log4js, setting Quay to not affected.

Comment 7 Ted (Jong Seok) Won 2019-12-23 17:42:28 UTC
There is no SoketAppender, SocketServer and SocketNode usage in JON, setting JON to not affected.

Comment 19 Cedric Buissart 🐶 2020-02-06 10:04:05 UTC
Statement:

This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.
Also the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417

In Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.