Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely
execute arbitrary code when combined with a deserialization gadget
when listening to untrusted network traffic for log data.
Created log4j tracking bugs for this issue:
Affects: fedora-all [bug 1785617]
Created log4j12 tracking bugs for this issue:
Affects: fedora-all [bug 1785618]
There is no SocketServer in nodejs-log4js, setting Quay to not affected.
There is no SoketAppender, SocketServer and SocketNode usage in JON, setting JON to not affected.
This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.
Also the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417
In Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.