Vulnerabilities > CVE-2019-17571 - Deserialization of Untrusted Data vulnerability in multiple products

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Log4J 1.0.4 Apache Log4J 1.1.3 Apache Log4J 1.2 Apache Log4J 1.2.1 Apache Log4J 1.2.2 Apache Log4J 1.2.3 Apache Log4J 1.2.4 Apache Log4J 1.2.5 Apache Log4J 1.2.6 Apache Log4J 1.2.7 Apache Log4J 1.2.8 Apache Log4J 1.2.9 Apache Log4J 1.2.10 Apache Log4J 1.2.11 Apache Log4J 1.2.12 Apache Log4J 1.2.13 Apache Log4J 1.2.14 Apache Log4J 1.2.15 Apache Log4J 1.2.16 Apache Log4J 1.2.17 Apache Bookkeeper - Apache Bookkeeper 4.0.0 Apache Bookkeeper 4.1.0 Apache Bookkeeper 4.2.0 Apache Bookkeeper 4.2.1 Apache Bookkeeper 4.2.3 Apache Bookkeeper 4.2.4 Apache Bookkeeper 4.3.0 Apache Bookkeeper 4.3.1 Apache Bookkeeper 4.3.2 Apache Bookkeeper 4.4.0 Apache Bookkeeper 4.5.0 Apache Bookkeeper 4.5.1 Apache Bookkeeper 4.6.0 Apache Bookkeeper 4.6.1 Apache Bookkeeper 4.6.2 Apache Bookkeeper 4.7.0 Apache Bookkeeper 4.7.1 Apache Bookkeeper 4.7.2 Apache Bookkeeper 4.7.3 Apache Bookkeeper 4.8.0 Apache Bookkeeper 4.8.1 Apache Bookkeeper 4.8.2 Apache Bookkeeper 4.9.0 Apache Bookkeeper 4.9.1 Apache Bookkeeper 4.9.2 Apache Bookkeeper 4.10.0 Apache Bookkeeper 4.11.0 Apache Bookkeeper 4.11.1 Apache Bookkeeper 4.12.0 Apache Bookkeeper 4.12.1 Apache Bookkeeper 4.13.0 Apache Bookkeeper 4.14.0 Apache Bookkeeper 4.14.1 Apache Bookkeeper 4.14.2	57
Application	Netapp Netapp Oncommand Workflow Automation - Netapp Oncommand System Manager 3.0 Netapp Oncommand System Manager 3.0.0 Netapp Oncommand System Manager 3.1 Netapp Oncommand System Manager 3.1.1 Netapp Oncommand System Manager 3.1.2 Netapp Oncommand System Manager 3.1.3	7
Application	Oracle Oracle Retail Service Backbone 14.1 Oracle Retail Service Backbone 15.0 Oracle Retail Service Backbone 16.0 Oracle Weblogic Server 12.1.3.0.0 Oracle Weblogic Server 10.3.6.0.0 Oracle Weblogic Server 12.2.1.3.0 Oracle Weblogic Server 12.2.1.4.0 Oracle Weblogic Server 14.1.1.0.0 Oracle Application Testing Suite 13.3.0.1 Oracle Endeca Information Discovery Studio 3.2.0 Oracle Rapid Planning 12.1 Oracle Rapid Planning 12.2 Oracle Financial Services Lending AND Leasing 14.1.0 Oracle Financial Services Lending AND Leasing 14.2.0 Oracle Financial Services Lending AND Leasing 14.8.0 Oracle Financial Services Lending AND Leasing 12.5.0 Oracle Communications Network Integrity 7.3.2 Oracle Communications Network Integrity 7.3.5 Oracle Communications Network Integrity 7.3.6 Oracle Primavera Gateway 16.2 Oracle Primavera Gateway 16.2.0 Oracle Primavera Gateway 16.2.11 Oracle Primavera Gateway 17.12.0 Oracle Primavera Gateway 17.12.6 Oracle Primavera Gateway 17.12.7 Oracle Retail Extract Transform AND Load 19.0 Oracle Mysql Enterprise Monitor - Oracle Mysql Enterprise Monitor 2.3.14 Oracle Mysql Enterprise Monitor 3.0.4 Oracle Mysql Enterprise Monitor 3.4.3 Oracle Mysql Enterprise Monitor 3.4.4 Oracle Mysql Enterprise Monitor 3.4.5 Oracle Mysql Enterprise Monitor 3.4.6 Oracle Mysql Enterprise Monitor 3.4.7 Oracle Mysql Enterprise Monitor 3.4.7.4297 Oracle Mysql Enterprise Monitor 3.4.8 Oracle Mysql Enterprise Monitor 3.4.9 Oracle Mysql Enterprise Monitor 3.4.9.4237 Oracle Mysql Enterprise Monitor 3.4.10 Oracle Mysql Enterprise Monitor 4.0.1 Oracle Mysql Enterprise Monitor 4.0.2 Oracle Mysql Enterprise Monitor 4.0.3 Oracle Mysql Enterprise Monitor 4.0.4 Oracle Mysql Enterprise Monitor 4.0.4.5235 Oracle Mysql Enterprise Monitor 4.0.5 Oracle Mysql Enterprise Monitor 4.0.6 Oracle Mysql Enterprise Monitor 4.0.6.5281 Oracle Mysql Enterprise Monitor 4.0.7 Oracle Mysql Enterprise Monitor 4.0.8 Oracle Mysql Enterprise Monitor 4.0.11.5331 Oracle Mysql Enterprise Monitor 4.0.12 Oracle Mysql Enterprise Monitor 4.1 Oracle Mysql Enterprise Monitor 8.0.0.8131 Oracle Mysql Enterprise Monitor 8.0.2 Oracle Mysql Enterprise Monitor 8.0.3 Oracle Mysql Enterprise Monitor 8.0.14 Oracle Mysql Enterprise Monitor 8.0.18.1217 Oracle Mysql Enterprise Monitor 8.0.21 Oracle Mysql Enterprise Monitor 8.0.22 Oracle Mysql Enterprise Monitor 8.0.23 Oracle Mysql Enterprise Monitor 8.0.25 Oracle Mysql Enterprise Monitor 8.0.29	62
OS	Debian Debian Debian Linux 8.0 Debian Debian Linux 9.0 Debian Debian Linux 10.0	3
OS	Canonical Canonical Ubuntu Linux 18.04	1
OS	Opensuse Opensuse Leap 15.1	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-2065.NASL
description	Included in Log4j 1.2, a logging library for Java, is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. For Debian 8
last seen	2020-06-01
modified	2020-06-02
plugin id	132777
published	2020-01-13
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132777
title	Debian DLA-2065-1 : apache-log4j1.2 security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-2065-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(132777); script_version("1.2"); script_cvs_date("Date: 2020/01/15"); script_cve_id("CVE-2019-17571"); script_name(english:"Debian DLA-2065-1 : apache-log4j1.2 security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Included in Log4j 1.2, a logging library for Java, is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. For Debian 8 'Jessie', this problem has been fixed in version 1.2.17-5+deb8u1. We recommend that you upgrade your apache-log4j1.2 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/apache-log4j1.2" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblog4j1.2-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblog4j1.2-java-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"liblog4j1.2-java", reference:"1.2.17-5+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"liblog4j1.2-java-doc", reference:"1.2.17-5+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Misc.
NASL id	ORACLE_WEBLOGIC_SERVER_CPU_APR_2020.NASL
description	The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the CPUApr2020 advisory. - A remote code execution vulnerability exists in the Log4j SocketServer class due to unsafe deserialization of untrusted data. An unauthenticated, remote attacker can exploit this to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. (CVE-2019-17571) - An information disclosure vulnerability exists in the Console component. An unauthenticated, remote attacker can exploit this to gain unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2020-2766) - A vulnerability in the WLS Web Services component exists. An authenticated, remote attacker can exploit this via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-2798) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-10
modified	2020-04-16
plugin id	135680
published	2020-04-16
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135680
title	Oracle WebLogic Server (Apr 2020 CPU)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(135680); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/03"); script_cve_id( "CVE-2019-16943", "CVE-2019-17359", "CVE-2019-17571", "CVE-2020-2766", "CVE-2020-2798", "CVE-2020-2801", "CVE-2020-2811", "CVE-2020-2828", "CVE-2020-2829", "CVE-2020-2867", "CVE-2020-2869", "CVE-2020-2883", "CVE-2020-2884", "CVE-2020-2963" ); script_xref(name:"IAVA", value:"2020-A-0153"); script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (Apr 2020 CPU)"); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by multiple vulnerabilities"); script_set_attribute(attribute:"description", value: "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the CPUApr2020 advisory. - A remote code execution vulnerability exists in the Log4j SocketServer class due to unsafe deserialization of untrusted data. An unauthenticated, remote attacker can exploit this to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. (CVE-2019-17571) - An information disclosure vulnerability exists in the Console component. An unauthenticated, remote attacker can exploit this to gain unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2020-2766) - A vulnerability in the WLS Web Services component exists. An authenticated, remote attacker can exploit this via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-2798) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpuapr2020cvrf.xml"); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2020.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2020 Oracle Critical Patch Update advisory."); script_set_attribute(attribute:"agent", value:"all"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17571"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl"); script_require_keys("installed_sw/Oracle WebLogic Server"); exit(0); } include('audit.inc'); include('install_func.inc'); app_name = 'Oracle WebLogic Server'; os = get_kb_item_or_exit('Host/OS'); if ('windows' >< tolower(os)) { port = get_kb_item('SMB/transport'); if (!port) port = 445; } else port = 0; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); version = install['version']; fix = NULL; fix_ver = NULL; if (version =~ "^12\.2\.1\.4($\|[^0-9])") { fix_ver = '12.2.1.4.200228'; fix = make_list('30970477', '30761841', '31101341'); } else if (version =~ "^12\.2\.1\.3($\|[^0-9])") { fix_ver = '12.2.1.3.200227'; fix = make_list('30965714'); } else if (version =~ "^12\.1\.3\.") { fix_ver = '12.1.3.0.200414'; fix = make_list('30857795'); } else if (version =~ "^10\.3\.6\.") { fix_ver = '10.3.6.0.200414'; fix = make_list('Q3ZB'); } if (isnull(fix_ver) \|\| ver_compare(ver:version, fix:fix_ver, strict:FALSE) >= 0) audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, install['path']); else { report = '\n Oracle Home : ' + install['Oracle Home'] + '\n Install path : ' + install['path'] + '\n Version : ' + version + '\n Fixes : ' + join(sep:', ', fix); security_report_v4(extra:report, severity:SECURITY_HOLE, port:port); }

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2017-2423.NASL
description	From Red Hat Security Advisory 2017:2423 : An update for log4j is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
last seen	2020-05-09
modified	2017-08-10
plugin id	102345
published	2017-08-10
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/102345
title	Oracle Linux 7 : log4j (ELSA-2017-2423)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2017:2423 and # Oracle Linux Security Advisory ELSA-2017-2423 respectively. # include("compat.inc"); if (description) { script_id(102345); script_version("3.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08"); script_cve_id("CVE-2017-5645", "CVE-2019-17571"); script_xref(name:"RHSA", value:"2017:2423"); script_xref(name:"IAVA", value:"2020-A-0008-S"); script_name(english:"Oracle Linux 7 : log4j (ELSA-2017-2423)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2017:2423 : An update for log4j is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2017-August/007114.html" ); script_set_attribute( attribute:"solution", value:"Update the affected log4j packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:log4j"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:log4j-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:log4j-manual"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/10"); script_set_attribute(attribute:"stig_severity", value:"II"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| !pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"log4j-1.2.17-16.el7_4")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"log4j-javadoc-1.2.17-16.el7_4")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"log4j-manual-1.2.17-16.el7_4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "log4j / log4j-javadoc / log4j-manual"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2017-1801.NASL
description	An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in tomcat
last seen	2020-05-09
modified	2018-08-29
plugin id	112177
published	2018-08-29
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/112177
title	RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 1 (RHSA-2017:1801)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2017-2423.NASL
description	An update for log4j is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
last seen	2020-05-09
modified	2017-09-01
plugin id	102878
published	2017-09-01
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/102878
title	CentOS 7 : log4j (CESA-2017:2423)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2017-2423.NASL
description	An update for log4j is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
last seen	2020-05-09
modified	2017-08-10
plugin id	102348
published	2017-08-10
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/102348
title	RHEL 7 : log4j (RHSA-2017:2423)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2017-2811.NASL
description	An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.8. Refer to the JBoss Enterprise Application Platform 7.0.8 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970) * It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user
last seen	2020-05-09
modified	2017-09-27
plugin id	103500
published	2017-09-27
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/103500
title	RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2017:2811)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4686.NASL
description	It was discovered that the SocketServer class included in apache-log4j1.2, a logging library for java, is vulnerable to deserialization of untrusted data. An attacker can take advantage of this flaw to execute arbitrary code in the context of the logger application by sending a specially crafted log event.
last seen	2020-05-22
modified	2020-05-18
plugin id	136675
published	2020-05-18
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136675
title	Debian DSA-4686-1 : apache-log4j1.2 - security update

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2017-3399.NASL
description	An update is now available for Red Hat JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 5 and Red Hat JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This asynchronous patch is a security update for log4j package in Red Hat JBoss Enterprise Application Platform 5.2.0. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
last seen	2020-05-09
modified	2017-12-13
plugin id	105209
published	2017-12-13
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105209
title	RHEL 6 : JBoss EAP (RHSA-2017:3399)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2017-2638.NASL
description	An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.17. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in the error page mechanism in Tomcat
last seen	2020-05-09
modified	2017-09-08
plugin id	103044
published	2017-09-08
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/103044
title	RHEL 6 : jboss-ec2-eap (RHSA-2017:2638)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2020-51.NASL
description	This update for log4j fixes the following issues : - CVE-2019-17571: Fixed a remote code execution by deserialization of untrusted data in SocketServer (bsc#1159646). This update was imported from the SUSE:SLE-15:Update update project.
last seen	2020-06-01
modified	2020-06-02
plugin id	132915
published	2020-01-15
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132915
title	openSUSE Security Update : log4j (openSUSE-2020-51)

Redhat

advisories

bugzilla

id	1443635
title	CVE-2017-5645 log4j: Socket receiver deserialization vulnerability

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND
comment log4j-manual is earlier than 0:1.2.17-16.el7_4
oval oval:com.redhat.rhsa:tst:20172423001
comment log4j-manual is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20172423002
AND
comment log4j-javadoc is earlier than 0:1.2.17-16.el7_4
oval oval:com.redhat.rhsa:tst:20172423003
comment log4j-javadoc is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20172423004
AND
comment log4j is earlier than 0:1.2.17-16.el7_4
oval oval:com.redhat.rhsa:tst:20172423005
comment log4j is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20172423006

rhsa

id	RHSA-2017:2423
released	2017-08-07
severity	Important
title	RHSA-2017:2423: log4j security update (Important)

rpms

log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el6
log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el7
tomcat-native-0:1.2.8-10.redhat_10.ep7.el6
tomcat-native-0:1.2.8-10.redhat_10.ep7.el7
tomcat-native-debuginfo-0:1.2.8-10.redhat_10.ep7.el6
tomcat-native-debuginfo-0:1.2.8-10.redhat_10.ep7.el7
tomcat7-0:7.0.70-22.ep7.el6
tomcat7-0:7.0.70-22.ep7.el7
tomcat7-admin-webapps-0:7.0.70-22.ep7.el6
tomcat7-admin-webapps-0:7.0.70-22.ep7.el7
tomcat7-docs-webapp-0:7.0.70-22.ep7.el6
tomcat7-docs-webapp-0:7.0.70-22.ep7.el7
tomcat7-el-2.2-api-0:7.0.70-22.ep7.el6
tomcat7-el-2.2-api-0:7.0.70-22.ep7.el7
tomcat7-javadoc-0:7.0.70-22.ep7.el6
tomcat7-javadoc-0:7.0.70-22.ep7.el7
tomcat7-jsp-2.2-api-0:7.0.70-22.ep7.el6
tomcat7-jsp-2.2-api-0:7.0.70-22.ep7.el7
tomcat7-jsvc-0:7.0.70-22.ep7.el6
tomcat7-jsvc-0:7.0.70-22.ep7.el7
tomcat7-lib-0:7.0.70-22.ep7.el6
tomcat7-lib-0:7.0.70-22.ep7.el7
tomcat7-log4j-0:7.0.70-22.ep7.el6
tomcat7-log4j-0:7.0.70-22.ep7.el7
tomcat7-selinux-0:7.0.70-22.ep7.el6
tomcat7-selinux-0:7.0.70-22.ep7.el7
tomcat7-servlet-3.0-api-0:7.0.70-22.ep7.el6
tomcat7-servlet-3.0-api-0:7.0.70-22.ep7.el7
tomcat7-webapps-0:7.0.70-22.ep7.el6
tomcat7-webapps-0:7.0.70-22.ep7.el7
tomcat8-0:8.0.36-24.ep7.el6
tomcat8-0:8.0.36-24.ep7.el7
tomcat8-admin-webapps-0:8.0.36-24.ep7.el6
tomcat8-admin-webapps-0:8.0.36-24.ep7.el7
tomcat8-docs-webapp-0:8.0.36-24.ep7.el6
tomcat8-docs-webapp-0:8.0.36-24.ep7.el7
tomcat8-el-2.2-api-0:8.0.36-24.ep7.el6
tomcat8-el-2.2-api-0:8.0.36-24.ep7.el7
tomcat8-javadoc-0:8.0.36-24.ep7.el6
tomcat8-javadoc-0:8.0.36-24.ep7.el7
tomcat8-jsp-2.3-api-0:8.0.36-24.ep7.el6
tomcat8-jsp-2.3-api-0:8.0.36-24.ep7.el7
tomcat8-jsvc-0:8.0.36-24.ep7.el6
tomcat8-jsvc-0:8.0.36-24.ep7.el7
tomcat8-lib-0:8.0.36-24.ep7.el6
tomcat8-lib-0:8.0.36-24.ep7.el7
tomcat8-log4j-0:8.0.36-24.ep7.el6
tomcat8-log4j-0:8.0.36-24.ep7.el7
tomcat8-selinux-0:8.0.36-24.ep7.el6
tomcat8-selinux-0:8.0.36-24.ep7.el7
tomcat8-servlet-3.1-api-0:8.0.36-24.ep7.el6
tomcat8-servlet-3.1-api-0:8.0.36-24.ep7.el7
tomcat8-webapps-0:8.0.36-24.ep7.el6
tomcat8-webapps-0:8.0.36-24.ep7.el7
log4j-0:1.2.17-16.el7_4
log4j-javadoc-0:1.2.17-16.el7_4
log4j-manual-0:1.2.17-16.el7_4
jboss-ec2-eap-0:7.5.17-1.Final_redhat_4.ep6.el6
jboss-ec2-eap-samples-0:7.5.17-1.Final_redhat_4.ep6.el6
eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6
eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7
eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6
eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7
log4j-0:1.2.14-19.patch_01.ep5.el5
log4j-0:1.2.14-19.patch_01.ep5.el6

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Redhat

References