Deserialization of a specially-crafted logging entry involving hashmap or hashtable could cause Denial of Service by exhausting the available memory in the virtual machine. This issue appears to affect only Java 1.6 or older versions.
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 2182893]
Created log4j-jboss-logmanager tracking bugs for this issue: Affects: epel-all [bug 2182903]
the CVE says it is vulnerable only on java runtimes less than 1.7, which is basically not used for products in last 2 years. "When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7" Please consider to evaluate this in reporting more bugs and do not make noise if that is out of the range ;)
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-26464
This issue has been addressed in the following products: EAP 7.4.13 Via RHSA-2023:5488 https://access.redhat.com/errata/RHSA-2023:5488
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:5484 https://access.redhat.com/errata/RHSA-2023:5484
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:5485 https://access.redhat.com/errata/RHSA-2023:5485
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:5486 https://access.redhat.com/errata/RHSA-2023:5486