Bug 2115318 - CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
Summary: CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
Keywords:
Status: NEW
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2115097
TreeView+ depends on / blocked
 
Reported: 2022-08-04 12:07 UTC by juneau
Modified: 2023-07-07 08:31 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description juneau 2022-08-04 12:07:55 UTC 
This is claimed to be an instance of CVE-2019-17571 by the reporter. 

***

Visibility: Public
Type: Vulnerability
Reporter: Matthias Weckbecker
Environment: local by default
Component: product / service
Version: v0.30.0, v0.32.0
Permissions: user
Configuration: standard

Apache Kafka container w/ vulnerable log4j in Clowder

Severity

See references

Description

Clowder incorporated an old Apache Kafka container.
This container included a vulnerable version of log4j.

Recommendations

The issue has already been mitigated.
See GitHub PR in references.

Consider creating a tracker for this and forward it to me.

References

- https://github.com/RedHatInsights/clowder/pull/631
- https://quay.io/repository/cloudservices/cp-kafka?tab=tags&tag=5.3.2
- https://logging.apache.org/log4j/1.2/
- https://kafka.apache.org/cve-list
- https://github.com/qos-ch/reload4j
---
Note You need to log in before you can comment on or make changes to this bug.