Описание
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.
Отчет
Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries. Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging. Red Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low. Similar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.
Меры по смягчению последствий
These are the mitigations available for this flaw for log4j 1.x:
- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.
- Remove the Chainsaw classes from the log4j jar files. For example:
(log4j jars may be nested in zip archives within product)
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | log4j | Affected | ||
| Red Hat AMQ Broker 7 | log4j | Affected | ||
| Red Hat build of Quarkus | log4j | Not affected | ||
| Red Hat CodeReady Studio 12 | log4j | Affected | ||
| Red Hat Data Grid 8 | log4j | Not affected | ||
| Red Hat Decision Manager 7 | log4j | Not affected | ||
| Red Hat Enterprise Linux 7 | tomcat | Not affected | ||
| Red Hat Integration Camel K 1 | log4j | Not affected | ||
| Red Hat Integration Camel Quarkus 1 | log4j | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | log4j | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.8 High
CVSS3
Связанные уязвимости
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2020-9493 identified a deserialization issue that was present in A ...
Deserialization of Untrusted Data in Apache Log4j
Уязвимость библиотеки журналирования Java-программ Log4j, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код
EPSS
8.8 High
CVSS3