Bug 2182864 (CVE-2023-26464)

Summary: CVE-2023-26464 log4j1-socketappender: DoS via hashmap logging
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, aileenc, alampare, alazarot, alcohan, almacdon, anstephe, asoldano, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bdettelb, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, cmoulliard, csutherl, dandread, darran.lofthouse, dfreiber, dhanak, dkreling, doconnor, dosoudil, drichtar, drow, ecerquei, eglynn, ehelms, ellin, emingora, fjuma, ggainey, gjospin, gkamathe, gmalinko, gparvin, gsmet, hamadhan, hbraun, hhorak, ibek, ikanello, istudens, ivassile, iweiss, janstey, jburrell, jcantril, jclere, jjoyce, jkang, jkoops, jmartisk, jolee, jorton, jpavlik, jrokos, jross, jschatte, jschluet, jscholz, jsherril, jstastny, juwatts, jvanek, jwendell, kverlaen, lbacciot, lgao, lhh, lsvaty, lthon, lzap, manderse, max.andersen, mburns, mgarciac, mhulan, mizdebsk, mkoncek, mmadzin, mmcspadd, mnovotny, mosmerov, msochure, msvehla, myarboro, nboldt, njean, nmoumoul, nwallace, olubyans, orabin, owatkins, pahickey, pcongius, pcreech, pdrozd, peholase, periklis, pesilva, pgallagh, pgrist, pjindal, plodge, pmackay, porcelli, probinso, pskopek, rcernich, rchan, rguimara, rhaigner, rhcs-maint, rjohnson, rkieley, rmartinc, rogbas, rojacob, rowaters, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, scorneli, sdawley, sdouglas, shbose, smaestri, smallamp, spower, stcannon, sthorger, swoodman, szappis, teagle, tom.jenkinson, tqvarnst, twalsh, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Chainsaw and SocketAppender components with Log4j 1.x on JRE, less than 1.7. This issue may allow an attacker to use a logging entry with a specially-crafted hashmap or hashtable, depending on which logging component is in use, to process and exhaust the available memory in the virtual machine, resulting in a Denial of Service when the object is deserialized. This issue affects Apache Log4j before version 2.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-19 20:38:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2182903, 2182893, 2182906, 2182907, 2182908, 2182909, 2182910, 2182911, 2182912, 2182913, 2182914, 2182915, 2182916, 2182917, 2182918, 2182919, 2182920, 2182921, 2182922, 2182923, 2182924, 2182925, 2182926, 2182927, 2182928    
Bug Blocks: 2048808    

Description Chess Hazlett 2023-03-29 19:57:08 UTC 
Deserialization of a specially-crafted logging entry involving hashmap or hashtable could cause Denial of Service by exhausting the available memory in the virtual machine. This issue appears to affect only Java 1.6 or older versions.
Comment 1 Chess Hazlett 2023-03-29 21:56:00 UTC 
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2182893]
Comment 2 Chess Hazlett 2023-03-29 22:41:28 UTC 
Created log4j-jboss-logmanager tracking bugs for this issue:

Affects: epel-all [bug 2182903]
Comment 6 Marek Novotny 2023-03-30 09:44:35 UTC 
the CVE says it is vulnerable only on java runtimes less than 1.7, which is basically not used for products in last 2 years.
"When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7"

Please consider to evaluate this in reporting more bugs and do not make noise if that is out of the range ;)
Comment 16 errata-xmlrpc 2023-06-19 10:13:14 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663
Comment 17 Product Security DevOps Team 2023-06-19 20:37:51 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-26464
Comment 19 errata-xmlrpc 2023-10-05 20:18:30 UTC 
This issue has been addressed in the following products:

  EAP 7.4.13

Via RHSA-2023:5488 https://access.redhat.com/errata/RHSA-2023:5488
Comment 20 errata-xmlrpc 2023-10-05 20:21:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:5484 https://access.redhat.com/errata/RHSA-2023:5484
Comment 21 errata-xmlrpc 2023-10-05 20:22:12 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:5485 https://access.redhat.com/errata/RHSA-2023:5485
Comment 22 errata-xmlrpc 2023-10-05 20:23:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:5486 https://access.redhat.com/errata/RHSA-2023:5486
Comment 24 errata-xmlrpc 2024-11-25 00:10:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7

Via RHSA-2024:10208 https://access.redhat.com/errata/RHSA-2024:10208
Comment 25 errata-xmlrpc 2024-11-25 00:11:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7

Via RHSA-2024:10207 https://access.redhat.com/errata/RHSA-2024:10207