Bug 2182864 (CVE-2023-26464)
| Summary: | CVE-2023-26464 log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Chess Hazlett <chazlett> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abenaiss, aileenc, alampare, alazarot, almacdon, anstephe, asoldano, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bdettelb, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, csutherl, dandread, darran.lofthouse, dfreiber, dhanak, dkreling, dosoudil, drichtar, eglynn, ehelms, ellin, emingora, fjuma, gjospin, gmalinko, gparvin, gsmet, hamadhan, hbraun, hhorak, ibek, ikanello, ivassile, iweiss, janstey, jburrell, jcantril, jclere, jjoyce, jkang, jmartisk, jolee, jorton, jpavlik, jrokos, jross, jschatte, jscholz, jsherril, jstastny, jvanek, jwendell, kverlaen, lbacciot, lgao, lhh, lthon, lzap, max.andersen, mburns, mgarciac, mhulan, mizdebsk, mkoncek, mmadzin, mmcspadd, mnovotny, mosmerov, msochure, msvehla, myarboro, nboldt, njean, nmoumoul, nwallace, orabin, owatkins, pahickey, pcreech, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, probinso, pskopek, rcernich, rchan, rguimara, rhcs-maint, rjohnson, rkieley, rogbas, rowaters, rruss, rstancel, rsvoboda, sbiarozk, scorneli, sdouglas, shbose, smaestri, spower, stcannon, sthorger, swoodman, szappis, teagle, tom.jenkinson, twalsh, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in Chainsaw and SocketAppender components with Log4j 1.x on JRE, less than 1.7. This issue may allow an attacker to use a logging entry with a specially-crafted hashmap or hashtable, depending on which logging component is in use, to process and exhaust the available memory in the virtual machine, resulting in a Denial of Service when the object is deserialized. This issue affects Apache Log4j before version 2.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-06-19 20:38:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2182903, 2182907, 2182908, 2182893, 2182906, 2182909, 2182910, 2182911, 2182912, 2182913, 2182914, 2182915, 2182916, 2182917, 2182918, 2182919, 2182920, 2182921, 2182922, 2182923, 2182924, 2182925, 2182926, 2182927, 2182928 | ||
| Bug Blocks: | 2048808 | ||
|
Description
Chess Hazlett
2023-03-29 19:57:08 UTC
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 2182893] Created log4j-jboss-logmanager tracking bugs for this issue: Affects: epel-all [bug 2182903] the CVE says it is vulnerable only on java runtimes less than 1.7, which is basically not used for products in last 2 years. "When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7" Please consider to evaluate this in reporting more bugs and do not make noise if that is out of the range ;) This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-26464 |