1443635 – (CVE-2017-5645) CVE-2017-5645 log4j: Socket receiver deserialization vulnerability

Bug 1443635 (CVE-2017-5645) - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability

Summary: CVE-2017-5645 log4j: Socket receiver deserialization vulnerability

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-5645
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1443637 1457722 1457756 1457757 1467261 1467262 1467885 1467886 1467894 1469402 1537683 1537684
Blocks:	1443639 1446025 1485997 1493931 1495452 1497821 1507638
TreeView+	depends on / blocked

Reported:	2017-04-19 15:19 UTC by Andrej Nemec
Modified:	2021-08-11 18:22 UTC (History)
CC List:	111 users (show)
Fixed In Version:	log4j 2.8.2
Clone Of:
Environment:
Last Closed:	2019-06-08 03:10:48 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JBPAPP-11265	Major	Resolved	[GSS](5.2.0 patch) CVE-2017-5645 log4j: Socket receiver deserialization vulnerability	2020-07-10 19:33:31 UTC
Red Hat Product Errata	RHSA-2017:1417	normal	SHIPPED_LIVE	Important: rh-java-common-log4j security update	2017-06-08 11:52:05 UTC
Red Hat Product Errata	RHSA-2017:1801	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server 3.1.0 Service Pack 1 security update	2017-07-25 20:44:35 UTC
Red Hat Product Errata	RHSA-2017:1802	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server Service Pack 1 security update	2017-07-25 21:46:13 UTC
Red Hat Product Errata	RHSA-2017:2423	normal	SHIPPED_LIVE	Important: log4j security update	2017-08-07 12:41:14 UTC
Red Hat Product Errata	RHSA-2017:2633	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update	2017-09-05 18:32:20 UTC
Red Hat Product Errata	RHSA-2017:2635	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update on RHEL 6	2017-09-05 19:07:46 UTC
Red Hat Product Errata	RHSA-2017:2636	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update on RHEL 7	2017-09-05 19:01:10 UTC
Red Hat Product Errata	RHSA-2017:2637	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update on RHEL 5	2017-09-05 19:04:25 UTC
Red Hat Product Errata	RHSA-2017:2638	normal	SHIPPED_LIVE	Important: jboss-ec2-eap security, bug fix, and enhancement update	2017-09-05 19:36:46 UTC
Red Hat Product Errata	RHSA-2017:2808	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform security update	2017-09-26 22:39:54 UTC
Red Hat Product Errata	RHSA-2017:2809	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform security update	2017-09-26 22:51:56 UTC
Red Hat Product Errata	RHSA-2017:2810	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform security update	2017-09-26 21:58:02 UTC
Red Hat Product Errata	RHSA-2017:2811	normal	SHIPPED_LIVE	Important: eap7-jboss-ec2-eap security update	2017-09-26 23:14:16 UTC
Red Hat Product Errata	RHSA-2017:2888	normal	SHIPPED_LIVE	Important: Red Hat JBoss BRMS 6.4.6 security update	2017-10-13 01:59:23 UTC
Red Hat Product Errata	RHSA-2017:2889	normal	SHIPPED_LIVE	Important: Red Hat JBoss BPM Suite 6.4.6 security update	2017-10-13 01:59:42 UTC
Red Hat Product Errata	RHSA-2017:3244	normal	SHIPPED_LIVE	Important: Red Hat JBoss Data Grid 7.1.1 security update	2017-11-17 00:52:09 UTC
Red Hat Product Errata	RHSA-2017:3399	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 5.2 security update	2017-12-07 22:17:54 UTC
Red Hat Product Errata	RHSA-2017:3400	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 5.2 security update	2017-12-07 22:05:34 UTC
Red Hat Product Errata	RHSA-2019:1545	None	None	None	2019-06-18 19:52:36 UTC
Red Hat Product Errata	RHSA-2021:3140	None	None	None	2021-08-11 18:22:17 UTC

Description Andrej Nemec 2017-04-19 15:19:47 UTC

When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

References:

http://seclists.org/oss-sec/2017/q2/78

Upstream bug:

https://issues.apache.org/jira/browse/LOG4J2-1863

Comment 1 Andrej Nemec 2017-04-19 15:23:40 UTC

Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 1443637]

Comment 4 Hooman Broujerdi 2017-04-21 01:10:32 UTC

JBoss fuse ships log4j in, karaf/pax logging, cxf, fabric8, activemq and hawtio components.

Comment 5 Jason Shepherd 2017-04-21 01:28:12 UTC

Both EAP 5 and JON3 don't have the affect Tcp and Udp SocketServer classes

Comment 8 Cedric Buissart 2017-06-01 07:56:54 UTC

Created log4j12 tracking bugs for this issue:

Affects: fedora-all [bug 1457722]

Comment 12 errata-xmlrpc 2017-06-08 07:52:26 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:1417 https://access.redhat.com/errata/RHSA-2017:1417

Comment 18 errata-xmlrpc 2017-07-25 16:46:11 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801

Comment 19 errata-xmlrpc 2017-07-25 17:47:19 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.1

Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802

Comment 21 errata-xmlrpc 2017-08-07 08:41:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2423 https://access.redhat.com/errata/RHSA-2017:2423

Comment 25 errata-xmlrpc 2017-09-05 14:32:40 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:2633 https://access.redhat.com/errata/RHSA-2017:2633

Comment 26 errata-xmlrpc 2017-09-05 15:12:04 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:2636 https://access.redhat.com/errata/RHSA-2017:2636

Comment 27 errata-xmlrpc 2017-09-05 15:13:31 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:2637 https://access.redhat.com/errata/RHSA-2017:2637

Comment 28 errata-xmlrpc 2017-09-05 15:14:52 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:2635 https://access.redhat.com/errata/RHSA-2017:2635

Comment 29 errata-xmlrpc 2017-09-05 15:37:20 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:2638 https://access.redhat.com/errata/RHSA-2017:2638

Comment 30 errata-xmlrpc 2017-09-26 17:58:48 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0.8

Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810

Comment 31 errata-xmlrpc 2017-09-26 18:41:33 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808

Comment 32 errata-xmlrpc 2017-09-26 18:53:50 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809

Comment 33 errata-xmlrpc 2017-09-26 19:15:08 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811

Comment 34 errata-xmlrpc 2017-10-12 22:00:16 UTC

This issue has been addressed in the following products:

  Red Hat JBoss BRMS

Via RHSA-2017:2888 https://access.redhat.com/errata/RHSA-2017:2888

Comment 35 errata-xmlrpc 2017-10-12 22:01:14 UTC

This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite

Via RHSA-2017:2889 https://access.redhat.com/errata/RHSA-2017:2889

Comment 36 errata-xmlrpc 2017-11-16 19:52:31 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Data Grid

Via RHSA-2017:3244 https://access.redhat.com/errata/RHSA-2017:3244

Comment 37 errata-xmlrpc 2017-12-07 17:05:53 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 5.2 security update

Via RHSA-2017:3400 https://access.redhat.com/errata/RHSA-2017:3400

Comment 38 errata-xmlrpc 2017-12-07 17:18:39 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 5 for RHEL 5
  Red Hat JBoss Enterprise Application Platform 5 for RHEL 6

Via RHSA-2017:3399 https://access.redhat.com/errata/RHSA-2017:3399

Comment 44 Jason Shepherd 2018-03-27 01:26:22 UTC

This was fixed for OCP 3.5, and 3.6 here: https://access.redhat.com/errata/RHBA-2017:2548

Comment 47 errata-xmlrpc 2019-06-18 19:52:33 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.3.1

Via RHSA-2019:1545 https://access.redhat.com/errata/RHSA-2019:1545

Comment 49 Huzaifa S. Sidhpurwala 2020-01-03 05:30:37 UTC

Statement:

The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x

Comment 50 Jonathan Christison 2021-06-17 11:31:49 UTC

It was found that vulnerable versions of log4j where shipped (embedded) within io.hawt:hawtio-osgi:war:*, however the embedded library is not used nor the vulnerable TCP/UDP server functionality. Due to this we've marked Fuse-7 and AMQ-7 as being affected (it is shipped and will) but having a low impact (it is not used).

Comment 52 errata-xmlrpc 2021-08-11 18:22:11 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140

Note You need to log in before you can comment on or make changes to this bug.

ahardin
aileenc
alazarot
apevec
apmukher
ataylor
avibelli
bkearney
bleanhar
bmaxwell
bmcclain
cbillett
ccoleman
cdewolf
chazlett
chrisw
csutherl
cvsbot-xmlrpc
dandread
darran.lofthouse
dbaker
dblechte
dedgar
devrim
dimitris
dmcphers
dosoudil
drieden
dwalluck
eedri
etirelli
fgavrilo
ggaughan
gmalinko
gsterlin
gvarsami
gzaronik
hhorak
huwang
janstey
java-maint
java-sig-commits
jawilson
jbalunas
jclere
jcoleman
jgoulding
jjoyce
jkeck
jochrist
jokerman
jolee
jondruse
jorton
jross
jschatte
jschluet
jshepherd
jstastny
jwon
kbasil
kconner
kverlaen
ldimaggi
lgao
lhh
lpeer
lpetrovi
lsurette
markmc
mbabacek
mbaluch
mchappel
meissner
mgoldboi
michal.skrivanek
mizdebsk
mwinkler
myarboro
nwallace
pgier
pjurak
ppalaga
psakar
pslavice
psotirop
puntogil
rbryant
Rhev-m-bugs
rnetuka
rrajasek
rstancel
rsvoboda
rwagner
rzhang
sclewis
spinder
srevivo
tcunning
tdecacqu
theute
thomas
tkirby
tlestach
tomckay
twalsh
vhalbert
vtunka
weli
ykaul
yozone