Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. References: https://logging.apache.org/log4j/1.2/ https://issues.apache.org/jira/browse/LOG4J2-1863 https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 1785617] Created log4j12 tracking bugs for this issue: Affects: fedora-all [bug 1785618]
There is no SocketServer in nodejs-log4js, setting Quay to not affected.
There is no SoketAppender, SocketServer and SocketNode usage in JON, setting JON to not affected.
Statement: This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423. Also the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417 In Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.
Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.4.8.SP1 Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.4.8.SP2 Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2022:5053 https://access.redhat.com/errata/RHSA-2022:5053