Описание
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.
Отчет
This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423. Also the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417 In Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.
Меры по смягчению последствий
Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this: log4j.appender.file.layout=org.apache.log4j.JsonLayout
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat AMQ Broker 7 | log4j | Not affected | ||
| Red Hat BPM Suite 6 | log4j | Not affected | ||
| Red Hat CodeReady Studio 12 | log4j | Affected | ||
| Red Hat Enterprise Linux 5 | log4j | Will not fix | ||
| Red Hat Enterprise Linux 8 | parfait:0.5/log4j12 | Not affected | ||
| Red Hat Fuse 7 | log4j | Not affected | ||
| Red Hat Fuse 7 | log4j-core | Not affected | ||
| Red Hat Integration Data Virtualisation Operator | log4j | Not affected | ||
| Red Hat JBoss BRMS 5 | log4j | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | log4j | Not affected |
Показывать по
Дополнительная информация
Статус:
9.8 Critical
CVSS3
Связанные уязвимости
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Included in Log4j 1.2 is a SocketServer class that is vulnerable to de ...
9.8 Critical
CVSS3