Bug 1831139 (CVE-2020-9488)
| Summary: | CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aboyko, ahenning, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bmaxwell, bmontgom, brian.stansberry, btotty, cdewolf, chazlett, csutherl, darran.lofthouse, dbhole, devrim, dkreling, dosoudil, drieden, dwalluck, ehelms, eparis, etirelli, ganandan, ggaughan, gmalinko, gvarsami, gzaronik, hhorak, ibek, iweiss, janstey, java-maint, java-sig-commits, jawilson, jbalunas, jburrell, jcantril, jclere, jcoleman, jlyle, jochrist, jokerman, jorton, jpallich, jperkins, jross, jsherril, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, loleary, lthon, lzap, mbabacek, mhulan, mizdebsk, mmccune, mnovotny, msochure, msvehla, mszynkie, myarboro, nmoumoul, nstielau, nwallace, orabin, paradhya, pcreech, pdrozd, pgallagh, pjindal, pmackay, pskopek, psotirop, puntogil, rchan, rguimara, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, sdaley, sd-operator-metering, sguilhen, smaestri, sochotni, spinder, sponnaga, stewardship-sig, sthorger, swoodman, tcunning, tflannag, theute, tkirby, tlestach, tom.jenkinson, weli, ytale |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | log4j-2.13.2 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-06-17 23:20:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1831142, 1831143, 1831316, 1831317, 1831318, 1831319, 1831320, 1831321, 1833229, 1833230, 1833990 | ||
| Bug Blocks: | 1831144, 2014197 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-05-04 17:28:34 UTC
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 1831142] Created log4j12 tracking bugs for this issue: Affects: fedora-all [bug 1831143] Upstream patch: https://github.com/apache/logging-log4j2/commit/6851b50/ This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 * Red Hat JBoss BRMS 5 * Red Hat JBoss BRMS 6 * Red Hat JBoss BPMS 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss SOA Platform 5 * Red Hat JBoss Active MQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Mitigation: Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections. The following OpenShift components package a version of log4j which includes the vulnerable SMTP class (included in the log4j-core pacakge for log4j v2): - openshift4/ose-logging-elasticsearch5 - openshift4/ose-metering-hive This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2391 https://access.redhat.com/errata/RHSA-2020:2391 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-9488 This issue has been addressed in the following products: Red Hat Data Grid Via RHSA-2020:3626 https://access.redhat.com/errata/RHSA-2020:3626 This issue has been addressed in the following products: Red Hat Data Grid 7.3.7 Via RHSA-2020:3779 https://access.redhat.com/errata/RHSA-2020:3779 This issue has been addressed in the following products: AMQ Clients 2.y for RHEL 6 AMQ Clients 2.y for RHEL 8 AMQ Clients 2.y for RHEL 7 Via RHSA-2020:3817 https://access.redhat.com/errata/RHSA-2020:3817 This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568 This issue has been addressed in the following products: RHDM 7.10.0 Via RHSA-2021:0603 https://access.redhat.com/errata/RHSA-2021:0603 This issue has been addressed in the following products: RHPAM 7.10.1 Via RHSA-2021:1044 https://access.redhat.com/errata/RHSA-2021:1044 This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134 Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it does not make use of SMTP Appender by default and only use logback framework for logging. This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.4.8.SP1 Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497 This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.4.8.SP2 Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507 |