Bug 1785616 (CVE-2019-17571) - CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
Summary: CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
Keywords:
Status: NEW
Alias: CVE-2019-17571
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1785617 1785618 1786012 1786013 1786014 1792863
Blocks: 1785622
TreeView+ depends on / blocked
 
Reported: 2019-12-20 13:12 UTC by msiddiqu
Modified: 2020-03-23 12:16 UTC (History)
98 users (show)

Fixed In Version: log4j 2.8.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description msiddiqu 2019-12-20 13:12:29 UTC
Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely
execute arbitrary code when combined with a deserialization gadget
when listening to untrusted network traffic for log data.

References: 

https://logging.apache.org/log4j/1.2/
https://issues.apache.org/jira/browse/LOG4J2-1863
https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E

Comment 1 msiddiqu 2019-12-20 13:13:06 UTC
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 1785617]


Created log4j12 tracking bugs for this issue:

Affects: fedora-all [bug 1785618]

Comment 2 Jason Shepherd 2019-12-23 02:12:58 UTC
There is no SocketServer in nodejs-log4js, setting Quay to not affected.

Comment 3 Jason Shepherd 2019-12-23 02:20:28 UTC
There is no SocketServer in nodejs-log4js, setting Quay to not affected.

Comment 7 Ted (Jong Seok) Won 2019-12-23 17:42:28 UTC
There is no SoketAppender, SocketServer and SocketNode usage in JON, setting JON to not affected.

Comment 19 Cedric Buissart 🐶 2020-02-06 10:04:05 UTC
Statement:

This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.
Also the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417

In Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.


Note You need to log in before you can comment on or make changes to this bug.