[Bug 1785616] New: CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
Bug ID: 1785616 Summary: CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: urgent Priority: urgent Assignee: security-response-team@redhat.com Reporter: msiddiqu@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bdettelb@redhat.com, bgeorges@redhat.com, bkearney@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, cbyrne@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmacedo@redhat.com, darran.lofthouse@redhat.com, dbhole@redhat.com, decathorpe@gmail.com, devrim@gunduz.org, dffrench@redhat.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, drusso@redhat.com, dwalluck@redhat.com, eparis@redhat.com, etirelli@redhat.com, ggaughan@redhat.com, gvarsami@redhat.com, hhorak@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jburrell@redhat.com, jcoleman@redhat.com, jmadigan@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschorr@redhat.com, jshepherd@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, ldimaggi@redhat.com, lef@fedoraproject.org, lgao@redhat.com, loleary@redhat.com, lthon@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, ngough@redhat.com, nstielau@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pdrozd@redhat.com, pgallagh@redhat.com, pjindal@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puntogil@libero.it, pwright@redhat.com, rguimara@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sdaley@redhat.com, smaestri@redhat.com, sochotni@redhat.com, spinder@redhat.com, sponnaga@redhat.com, stewardship-sig@lists.fedoraproject.org, sthorger@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, tlestach@redhat.com, tomckay@redhat.com, tom.jenkinson@redhat.com, trepel@redhat.com Target Milestone: --- Classification: Other
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
References:
https://logging.apache.org/log4j/1.2/ https://issues.apache.org/jira/browse/LOG4J2-1863
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
msiddiqu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1785617, 1785618
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1785617 [Bug 1785617] CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1785618 [Bug 1785618] CVE-2019-17571 log4j12: log4j: deserialization of untrusted data in SocketServer [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Comment #1 from msiddiqu@redhat.com --- Created log4j tracking bugs for this issue:
Affects: fedora-all [bug 1785617]
Created log4j12 tracking bugs for this issue:
Affects: fedora-all [bug 1785618]
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
msiddiqu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1785622
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
msiddiqu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |log4j 2.8.2
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Comment #2 from Jason Shepherd jshepherd@redhat.com --- There is no SocketServer in nodejs-log4js, setting Quay to not affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|bmontgom@redhat.com, | |eparis@redhat.com, | |jburrell@redhat.com, | |jokerman@redhat.com, | |nstielau@redhat.com, | |sponnaga@redhat.com |
--- Comment #3 from Jason Shepherd jshepherd@redhat.com --- There is no SocketServer in nodejs-log4js, setting Quay to not affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1786014, 1786013, 1786012
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
msiddiqu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jolee@redhat.com, | |jschatte@redhat.com, | |vhalbert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Comment #7 from Ted (Jong Seok) Won jwon@redhat.com --- There is no SoketAppender, SocketServer and SocketNode usage in JON, setting JON to not affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|urgent |high Severity|urgent |high
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Comment #8 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- Statement:
This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Comment #11 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- Statement:
This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423. Also the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Comment #12 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- Statement:
This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423. Also the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417
https://bugzilla.redhat.com/show_bug.cgi?id=1785616 Bug 1785616 depends on bug 1785617, which changed state.
Bug 1785617 Summary: CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1785617
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
Daniel Chong dchong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dchong@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1785616 Bug 1785616 depends on bug 1785618, which changed state.
Bug 1785618 Summary: CVE-2019-17571 log4j12: log4j: deserialization of untrusted data in SocketServer [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1785618
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
Cedric Buissart 🐶 cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1792863
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Comment #19 from Cedric Buissart 🐶 cbuissar@redhat.com --- Statement:
This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423. Also the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417
In Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Doc Text *updated* by Kunjan Rathod krathod@redhat.com --- A flaw was discovered in Log4j where a vulnerable SocketServer class may lead to de-serialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with de-serialization gadget.
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
Issa Gueye igueye@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |igueye@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Comment #30 from Yadnyawalk Tale ytale@redhat.com --- Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Comment #31 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Data Virtualization 6.4.8.SP1
Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0497
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Comment #32 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Data Virtualization 6.4.8.SP2
Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0507
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
Tom Crider tcrider@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |tcrider@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2088650
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
--- Comment #35 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Extended Lifecycle Support
Via RHSA-2022:5053 https://access.redhat.com/errata/RHSA-2022:5053
https://bugzilla.redhat.com/show_bug.cgi?id=1785616
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:5053
java-sig-commits@lists.fedoraproject.org
-
bugzilla@redhat.com