Bug 2115318

Summary: CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
Product: [Other] Security Response Reporter: juneau
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caswilli, fjansen, jwong, kaycoth, kshier, sthirugn, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2115097    

Description juneau 2022-08-04 12:07:55 UTC 
This is claimed to be an instance of CVE-2019-17571 by the reporter. 

***

Visibility: Public
Type: Vulnerability
Reporter: Matthias Weckbecker
Environment: local by default
Component: product / service
Version: v0.30.0, v0.32.0
Permissions: user
Configuration: standard

Apache Kafka container w/ vulnerable log4j in Clowder

Severity

See references

Description

Clowder incorporated an old Apache Kafka container.
This container included a vulnerable version of log4j.

Recommendations

The issue has already been mitigated.
See GitHub PR in references.

Consider creating a tracker for this and forward it to me.

References

- https://github.com/RedHatInsights/clowder/pull/631
- https://quay.io/repository/cloudservices/cp-kafka?tab=tags&tag=5.3.2
- https://logging.apache.org/log4j/1.2/
- https://kafka.apache.org/cve-list
- https://github.com/qos-ch/reload4j
---