Bug 2041949 (CVE-2022-23302)
Summary: | CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bdettelb, bgeorges, bibryam, bmaxwell, bmontgom, boliveir, brian.stansberry, btotty, caswilli, cdewolf, chazlett, clement.escoffier, csutherl, dandread, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, ehelms, eleandro, eparis, etirelli, fjuma, ggaughan, gmalinko, gsmet, gzaronik, hamadhan, hbraun, hhorak, ibek, iweiss, janstey, jburrell, jclere, jjoyce, jnethert, jochrist, jokerman, jolee, jorton, jpallich, jperkins, jrokos, jross, jschatte, jschluet, jsherril, jstastny, jwong, jwon, kaycoth, krathod, kverlaen, kwills, lgao, lhh, loleary, lpeer, lsurette, lthon, lzap, mburns, mhulan, michal.skrivanek, mizdebsk, mkolesni, mmccune, mnovotny, mperina, msochure, msvehla, mszynkie, myarboro, nmoumoul, nobody, nstielau, nwallace, orabin, pantinor, pcreech, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, rchan, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sbonazzo, sclewis, scohen, sd-operator-metering, sdouglas, slinaber, smaestri, spinder, sponnaga, sthorger, swoodman, szappis, tflannag, theute, tom.jenkinson, tzimanyi, vkumar, yborgess, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-01-26 15:31:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2042321, 2042322, 2042344, 2042621, 2042622, 2042623, 2042624, 2042625, 2042626, 2042627, 2042628, 2042629, 2042630, 2042631, 2042632, 2042633, 2042634, 2042635, 2042636, 2042637, 2042638, 2042639, 2042640, 2042641, 2042642, 2042643, 2042644, 2042645, 2042646, 2042647, 2042648, 2042714, 2042923, 2042924, 2042925, 2042926, 2042927, 2042928, 2042929, 2042930, 2042931, 2048754, 2048755 | ||
Bug Blocks: | 2041943 |
Description
Michael Kaplan
2022-01-18 15:39:20 UTC
Marking /services "notaffected" per previous analysis/remediation. This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0294 https://access.redhat.com/errata/RHSA-2022:0294 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0290 https://access.redhat.com/errata/RHSA-2022:0290 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0291 https://access.redhat.com/errata/RHSA-2022:0291 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0289 https://access.redhat.com/errata/RHSA-2022:0289 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-23302 This issue has been addressed in the following products: Red Hat Data Grid 7.3.9 Via RHSA-2022:0430 https://access.redhat.com/errata/RHSA-2022:0430 This issue has been addressed in the following products: EAP 7.4 log4j async Via RHSA-2022:0435 https://access.redhat.com/errata/RHSA-2022:0435 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:0436 https://access.redhat.com/errata/RHSA-2022:0436 This issue has been addressed in the following products: EAP 6.4 log4j async Via RHSA-2022:0437 https://access.redhat.com/errata/RHSA-2022:0437 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2022:0438 https://access.redhat.com/errata/RHSA-2022:0438 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0439 https://access.redhat.com/errata/RHSA-2022:0439 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Red Hat Enterprise Linux 7.7 Advanced Update Support Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Red Hat Enterprise Linux 7.7 Telco Extended Update Support Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2022:0442 https://access.redhat.com/errata/RHSA-2022:0442 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0444 https://access.redhat.com/errata/RHSA-2022:0444 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.10 Via RHSA-2022:0446 https://access.redhat.com/errata/RHSA-2022:0446 This issue has been addressed in the following products: RHSSO 7.5.1 Via RHSA-2022:0449 https://access.redhat.com/errata/RHSA-2022:0449 This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:0448 https://access.redhat.com/errata/RHSA-2022:0448 This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:0447 https://access.redhat.com/errata/RHSA-2022:0447 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0445 https://access.redhat.com/errata/RHSA-2022:0445 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0450 https://access.redhat.com/errata/RHSA-2022:0450 This issue has been addressed in the following products: Red Hat AMQ Streams 1.6.7 Via RHSA-2022:0467 https://access.redhat.com/errata/RHSA-2022:0467 This issue has been addressed in the following products: Red Hat AMQ Streams 2.0.1 Via RHSA-2022:0469 https://access.redhat.com/errata/RHSA-2022:0469 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:0475 https://access.redhat.com/errata/RHSA-2022:0475 This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.4.8.SP1 Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497 This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.4.8.SP2 Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507 This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2022:0524 https://access.redhat.com/errata/RHSA-2022:0524 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2022:0527 https://access.redhat.com/errata/RHSA-2022:0527 This issue has been addressed in the following products: Red Hat Fuse/AMQ 6.3.20 Via RHSA-2022:0553 https://access.redhat.com/errata/RHSA-2022:0553 This issue has been addressed in the following products: Red Hat Fuse 7.10.1 Via RHSA-2022:0661 https://access.redhat.com/errata/RHSA-2022:0661 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297 This issue has been addressed in the following products: EAP 7.4.4 release Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299 This issue has been addressed in the following products: EAP 6.4.24 release Via RHSA-2022:5458 https://access.redhat.com/errata/RHSA-2022:5458 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2022:5459 https://access.redhat.com/errata/RHSA-2022:5459 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2022:5460 https://access.redhat.com/errata/RHSA-2022:5460 |