Описание
ELSA-2017-2423: log4j security update (IMPORTANT)
[0:1.2.17-16]
- Fix socket receiver deserialization vulnerability
- Resolves: CVE-2017-5645
Обновленные пакеты
Oracle Linux 7
Oracle Linux aarch64
log4j
1.2.17-16.el7_4
log4j-javadoc
1.2.17-16.el7_4
log4j-manual
1.2.17-16.el7_4
Oracle Linux x86_64
log4j
1.2.17-16.el7_4
log4j-javadoc
1.2.17-16.el7_4
log4j-manual
1.2.17-16.el7_4
Связанные CVE
Связанные уязвимости
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or ...
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.