Bug 2333351 (CVE-2024-12798)
| Summary: | CVE-2024-12798 logback-core: arbitrary code execution via JaninoEventEvaluator | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abrianik, adupliak, asoldano, ataylor, bbaranow, bmaxwell, boliveir, brian.stansberry, caswilli, ccranfor, cdewolf, chazlett, chfoley, cmiranda, csutherl, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, fjuma, fmariani, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jcantril, jclere, jkoops, jpechane, jpoth, jrokos, jscholz, kaycoth, kholdawa, kverlaen, lcouzens, lgao, mnovotny, mosmerov, mskarbek, msochure, msvehla, nwallace, parichar, pcongius, pdelbell, pdrozd, peholase, pesilva, pjindal, plodge, pmackay, pskopek, rguimara, rkieley, rmartinc, rojacob, rowaters, rstancel, rstepani, saroy, smaestri, sthorger, swoodman, szappis, tasato, tcunning, tom.jenkinson, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in Logback. This flaw allows a privileged attacker with write access to modify Logback configuration files or inject a malicious environment variable to execute arbitrary code via the JaninoEventEvaluator extension.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This issue has been addressed in the following products: Red Hat build of Apache Camel 4.8.3 for Spring Boot Via RHSA-2025:1078 https://access.redhat.com/errata/RHSA-2025:1078 |
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto and including version 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.