When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. References: http://seclists.org/oss-sec/2017/q2/78 Upstream bug: https://issues.apache.org/jira/browse/LOG4J2-1863
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 1443637]
JBoss fuse ships log4j in, karaf/pax logging, cxf, fabric8, activemq and hawtio components.
Both EAP 5 and JON3 don't have the affect Tcp and Udp SocketServer classes
Created log4j12 tracking bugs for this issue: Affects: fedora-all [bug 1457722]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:1417 https://access.redhat.com/errata/RHSA-2017:1417
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.1 Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2423 https://access.redhat.com/errata/RHSA-2017:2423
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:2633 https://access.redhat.com/errata/RHSA-2017:2633
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:2636 https://access.redhat.com/errata/RHSA-2017:2636
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2017:2637 https://access.redhat.com/errata/RHSA-2017:2637
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:2635 https://access.redhat.com/errata/RHSA-2017:2635
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:2638 https://access.redhat.com/errata/RHSA-2017:2638
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0.8 Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811
This issue has been addressed in the following products: Red Hat JBoss BRMS Via RHSA-2017:2888 https://access.redhat.com/errata/RHSA-2017:2888
This issue has been addressed in the following products: Red Hat JBoss BPM Suite Via RHSA-2017:2889 https://access.redhat.com/errata/RHSA-2017:2889
This issue has been addressed in the following products: Red Hat JBoss Data Grid Via RHSA-2017:3244 https://access.redhat.com/errata/RHSA-2017:3244
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 5.2 security update Via RHSA-2017:3400 https://access.redhat.com/errata/RHSA-2017:3400
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Via RHSA-2017:3399 https://access.redhat.com/errata/RHSA-2017:3399
This was fixed for OCP 3.5, and 3.6 here: https://access.redhat.com/errata/RHBA-2017:2548
This issue has been addressed in the following products: Red Hat Fuse 7.3.1 Via RHSA-2019:1545 https://access.redhat.com/errata/RHSA-2019:1545
Statement: The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x
It was found that vulnerable versions of log4j where shipped (embedded) within io.hawt:hawtio-osgi:war:*, however the embedded library is not used nor the vulnerable TCP/UDP server functionality. Due to this we've marked Fuse-7 and AMQ-7 as being affected (it is shipped and will) but having a low impact (it is not used).
This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140