Bug 1785616 (CVE-2019-17571) - CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
Summary: CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-17571
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1785617 1785618 1786012 1786013 1786014 1792863 2088650
Blocks: 1785622
TreeView+ depends on / blocked
 
Reported: 2019-12-20 13:12 UTC by msiddiqu
Modified: 2024-03-25 15:35 UTC (History)
113 users (show)

Fixed In Version: log4j 2.8.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.
Clone Of:
Environment:
Last Closed: 2021-10-25 22:14:36 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0497 0 None None None 2022-02-09 13:11:18 UTC
Red Hat Product Errata RHSA-2022:0507 0 None None None 2022-02-10 17:26:49 UTC
Red Hat Product Errata RHSA-2022:5053 0 None None None 2022-06-15 10:43:37 UTC

Description msiddiqu 2019-12-20 13:12:29 UTC 
Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely
execute arbitrary code when combined with a deserialization gadget
when listening to untrusted network traffic for log data.

References: 

https://logging.apache.org/log4j/1.2/
https://issues.apache.org/jira/browse/LOG4J2-1863
https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E
Comment 1 msiddiqu 2019-12-20 13:13:06 UTC 
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 1785617]


Created log4j12 tracking bugs for this issue:

Affects: fedora-all [bug 1785618]
Comment 2 Jason Shepherd 2019-12-23 02:12:58 UTC 
There is no SocketServer in nodejs-log4js, setting Quay to not affected.
Comment 3 Jason Shepherd 2019-12-23 02:20:28 UTC 
There is no SocketServer in nodejs-log4js, setting Quay to not affected.
Comment 7 Ted Jongseok Won 2019-12-23 17:42:28 UTC 
There is no SoketAppender, SocketServer and SocketNode usage in JON, setting JON to not affected.
Comment 19 Cedric Buissart 2020-02-06 10:04:05 UTC 
Statement:

This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.
Also the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417

In Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.
Comment 30 Yadnyawalk Tale 2022-02-03 13:08:27 UTC 
Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.
Comment 31 errata-xmlrpc 2022-02-09 13:11:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP1

Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497
Comment 32 errata-xmlrpc 2022-02-10 17:26:43 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP2

Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507
Comment 35 errata-xmlrpc 2022-06-15 10:43:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:5053 https://access.redhat.com/errata/RHSA-2022:5053
Note You need to log in before you can comment on or make changes to this bug.