Bug 1785616 (CVE-2019-17571)

Summary: CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bdettelb, bgeorges, bibryam, bkearney, bmaxwell, brian.stansberry, btotty, cdewolf, chazlett, cmacedo, darran.lofthouse, dbhole, dchong, decathorpe, devrim, dffrench, dkreling, dosoudil, drieden, drusso, dwalluck, ehelms, etirelli, ganandan, ggaughan, gvarsami, hhorak, ibek, igueye, iweiss, janstey, java-maint, java-sig-commits, jawilson, jbalunas, jcoleman, jmadigan, jochrist, jolee, jorton, jpallich, jperkins, jschatte, jshepherd, jsherril, jstastny, jwon, krathod, kverlaen, kwills, ldimaggi, lef, lgao, loleary, lthon, lzap, mhulan, mizdebsk, mmccune, mnovotny, msochure, msvehla, mszynkie, myarboro, ngough, nmoumoul, nwallace, orabin, pantinor, pcreech, pdrozd, pgallagh, pjindal, pmackay, psotirop, puntogil, pwright, rareddy, rchan, rguimara, rrajasek, rruss, rsvoboda, rsynek, rtillery, rwagner, sdaley, smaestri, sochotni, stewardship-sig, sthorger, tcrider, tcunning, theute, tkirby, tlestach, tomckay, tom.jenkinson, trepel, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: log4j 2.8.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:14:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1785617, 1785618, 1786012, 1786013, 1786014, 1792863, 2088650    
Bug Blocks: 1785622    

Description msiddiqu 2019-12-20 13:12:29 UTC 
Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely
execute arbitrary code when combined with a deserialization gadget
when listening to untrusted network traffic for log data.

References: 

https://logging.apache.org/log4j/1.2/
https://issues.apache.org/jira/browse/LOG4J2-1863
https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E
Comment 1 msiddiqu 2019-12-20 13:13:06 UTC 
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 1785617]


Created log4j12 tracking bugs for this issue:

Affects: fedora-all [bug 1785618]
Comment 2 Jason Shepherd 2019-12-23 02:12:58 UTC 
There is no SocketServer in nodejs-log4js, setting Quay to not affected.
Comment 3 Jason Shepherd 2019-12-23 02:20:28 UTC 
There is no SocketServer in nodejs-log4js, setting Quay to not affected.
Comment 7 Ted Jongseok Won 2019-12-23 17:42:28 UTC 
There is no SoketAppender, SocketServer and SocketNode usage in JON, setting JON to not affected.
Comment 19 Cedric Buissart 2020-02-06 10:04:05 UTC 
Statement:

This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.
Also the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417

In Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.
Comment 30 Yadnyawalk Tale 2022-02-03 13:08:27 UTC 
Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.
Comment 31 errata-xmlrpc 2022-02-09 13:11:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP1

Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497
Comment 32 errata-xmlrpc 2022-02-10 17:26:43 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP2

Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507
Comment 35 errata-xmlrpc 2022-06-15 10:43:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:5053 https://access.redhat.com/errata/RHSA-2022:5053