Vulnerabilities > CVE-2019-17571 - Deserialization of Untrusted Data vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apache
debian
canonical
opensuse
netapp
oracle
CWE-502
critical
nessus

Summary

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Vulnerable Configurations

Part Description Count
Application
Apache
57
Application
Netapp
7
Application
Oracle
67
OS
Debian
3
OS
Canonical
1
OS
Opensuse
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2065.NASL
    descriptionIncluded in Log4j 1.2, a logging library for Java, is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id132777
    published2020-01-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132777
    titleDebian DLA-2065-1 : apache-log4j1.2 security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-2065-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(132777);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/15");
    
      script_cve_id("CVE-2019-17571");
    
      script_name(english:"Debian DLA-2065-1 : apache-log4j1.2 security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Included in Log4j 1.2, a logging library for Java, is a SocketServer
    class that is vulnerable to deserialization of untrusted data which
    can be exploited to remotely execute arbitrary code when combined with
    a deserialization gadget when listening to untrusted network traffic
    for log data.
    
    For Debian 8 'Jessie', this problem has been fixed in version
    1.2.17-5+deb8u1.
    
    We recommend that you upgrade your apache-log4j1.2 packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/apache-log4j1.2"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblog4j1.2-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblog4j1.2-java-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"liblog4j1.2-java", reference:"1.2.17-5+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"liblog4j1.2-java-doc", reference:"1.2.17-5+deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idORACLE_WEBLOGIC_SERVER_CPU_APR_2020.NASL
    descriptionThe version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the CPUApr2020 advisory. - A remote code execution vulnerability exists in the Log4j SocketServer class due to unsafe deserialization of untrusted data. An unauthenticated, remote attacker can exploit this to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. (CVE-2019-17571) - An information disclosure vulnerability exists in the Console component. An unauthenticated, remote attacker can exploit this to gain unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2020-2766) - A vulnerability in the WLS Web Services component exists. An authenticated, remote attacker can exploit this via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-2798) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-10
    modified2020-04-16
    plugin id135680
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135680
    titleOracle WebLogic Server (Apr 2020 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135680);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/03");
    
      script_cve_id(
        "CVE-2019-16943",
        "CVE-2019-17359",
        "CVE-2019-17571",
        "CVE-2020-2766",
        "CVE-2020-2798",
        "CVE-2020-2801",
        "CVE-2020-2811",
        "CVE-2020-2828",
        "CVE-2020-2829",
        "CVE-2020-2867",
        "CVE-2020-2869",
        "CVE-2020-2883",
        "CVE-2020-2884",
        "CVE-2020-2963"
      );
      script_xref(name:"IAVA", value:"2020-A-0153");
    
      script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (Apr 2020 CPU)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is affected by multiple vulnerabilities");
      script_set_attribute(attribute:"description", value:
    "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by
    multiple vulnerabilities as referenced in the CPUApr2020 advisory.
    
      - A remote code execution vulnerability exists in the Log4j SocketServer class due to unsafe deserialization of
        untrusted data. An unauthenticated, remote attacker can exploit this to remotely execute arbitrary code when
        combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j
        versions up to 1.2 up to 1.2.17. (CVE-2019-17571)
    
      - An information disclosure vulnerability exists in the Console component. An unauthenticated, remote attacker can
        exploit this to gain unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2020-2766)
    
      - A vulnerability in the WLS Web Services component exists. An authenticated, remote attacker can exploit this via T3
        to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle
        WebLogic Server. (CVE-2020-2798)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpuapr2020cvrf.xml");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2020.html");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the April 2020 Oracle Critical Patch Update advisory.");
      script_set_attribute(attribute:"agent", value:"all");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17571");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl");
      script_require_keys("installed_sw/Oracle WebLogic Server");
    
      exit(0);
    }
    
    include('audit.inc');
    include('install_func.inc');
    
    app_name = 'Oracle WebLogic Server';
    
    os = get_kb_item_or_exit('Host/OS');
    if ('windows' >< tolower(os))
    {
      port = get_kb_item('SMB/transport');
      if (!port) port = 445;
    }
    else port = 0;
    
    install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
    version = install['version'];
    
    fix = NULL;
    fix_ver = NULL;
    
    if (version =~ "^12\.2\.1\.4($|[^0-9])")
    {
      fix_ver = '12.2.1.4.200228';
      fix = make_list('30970477', '30761841', '31101341');
    }
    
    else if (version =~ "^12\.2\.1\.3($|[^0-9])")
    {
      fix_ver = '12.2.1.3.200227';
      fix = make_list('30965714');
    }
    else if (version =~ "^12\.1\.3\.")
    {
      fix_ver = '12.1.3.0.200414';
      fix = make_list('30857795');
    }
    else if (version =~ "^10\.3\.6\.")
    {
      fix_ver = '10.3.6.0.200414';
      fix = make_list('Q3ZB');
    }
    
    if (isnull(fix_ver) || ver_compare(ver:version, fix:fix_ver, strict:FALSE) >= 0)
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, install['path']);
    
    else {
      report =
        '\n  Oracle Home    : ' + install['Oracle Home'] +
        '\n  Install path   : ' + install['path'] +
        '\n  Version        : ' + version +
        '\n  Fixes          : ' + join(sep:', ', fix);
      security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2423.NASL
    descriptionFrom Red Hat Security Advisory 2017:2423 : An update for log4j is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
    last seen2020-05-09
    modified2017-08-10
    plugin id102345
    published2017-08-10
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102345
    titleOracle Linux 7 : log4j (ELSA-2017-2423)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2017:2423 and 
    # Oracle Linux Security Advisory ELSA-2017-2423 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102345);
      script_version("3.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08");
    
      script_cve_id("CVE-2017-5645", "CVE-2019-17571");
      script_xref(name:"RHSA", value:"2017:2423");
      script_xref(name:"IAVA", value:"2020-A-0008-S");
    
      script_name(english:"Oracle Linux 7 : log4j (ELSA-2017-2423)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2017:2423 :
    
    An update for log4j is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Log4j is a tool to help the programmer output log statements to a
    variety of output targets.
    
    Security Fix(es) :
    
    * It was found that when using remote logging with log4j socket server
    the log4j server would deserialize any log event received via TCP or
    UDP. An attacker could use this flaw to send a specially crafted log
    event that, during deserialization, would execute arbitrary code in
    the context of the logger application. (CVE-2017-5645)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-August/007114.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected log4j packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:log4j");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:log4j-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:log4j-manual");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/10");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"log4j-1.2.17-16.el7_4")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"log4j-javadoc-1.2.17-16.el7_4")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"log4j-manual-1.2.17-16.el7_4")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "log4j / log4j-javadoc / log4j-manual");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1801.NASL
    descriptionAn update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in tomcat
    last seen2020-05-09
    modified2018-08-29
    plugin id112177
    published2018-08-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112177
    titleRHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 1 (RHSA-2017:1801)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2423.NASL
    descriptionAn update for log4j is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
    last seen2020-05-09
    modified2017-09-01
    plugin id102878
    published2017-09-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102878
    titleCentOS 7 : log4j (CESA-2017:2423)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2423.NASL
    descriptionAn update for log4j is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
    last seen2020-05-09
    modified2017-08-10
    plugin id102348
    published2017-08-10
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102348
    titleRHEL 7 : log4j (RHSA-2017:2423)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2811.NASL
    descriptionAn update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.8. Refer to the JBoss Enterprise Application Platform 7.0.8 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970) * It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user
    last seen2020-05-09
    modified2017-09-27
    plugin id103500
    published2017-09-27
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103500
    titleRHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2017:2811)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4686.NASL
    descriptionIt was discovered that the SocketServer class included in apache-log4j1.2, a logging library for java, is vulnerable to deserialization of untrusted data. An attacker can take advantage of this flaw to execute arbitrary code in the context of the logger application by sending a specially crafted log event.
    last seen2020-05-22
    modified2020-05-18
    plugin id136675
    published2020-05-18
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136675
    titleDebian DSA-4686-1 : apache-log4j1.2 - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3399.NASL
    descriptionAn update is now available for Red Hat JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 5 and Red Hat JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This asynchronous patch is a security update for log4j package in Red Hat JBoss Enterprise Application Platform 5.2.0. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
    last seen2020-05-09
    modified2017-12-13
    plugin id105209
    published2017-12-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105209
    titleRHEL 6 : JBoss EAP (RHSA-2017:3399)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2638.NASL
    descriptionAn update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.17. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in the error page mechanism in Tomcat
    last seen2020-05-09
    modified2017-09-08
    plugin id103044
    published2017-09-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103044
    titleRHEL 6 : jboss-ec2-eap (RHSA-2017:2638)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-51.NASL
    descriptionThis update for log4j fixes the following issues : - CVE-2019-17571: Fixed a remote code execution by deserialization of untrusted data in SocketServer (bsc#1159646). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id132915
    published2020-01-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132915
    titleopenSUSE Security Update : log4j (openSUSE-2020-51)

Redhat

advisories
bugzilla
id1443635
titleCVE-2017-5645 log4j: Socket receiver deserialization vulnerability
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentlog4j-manual is earlier than 0:1.2.17-16.el7_4
          ovaloval:com.redhat.rhsa:tst:20172423001
        • commentlog4j-manual is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172423002
      • AND
        • commentlog4j-javadoc is earlier than 0:1.2.17-16.el7_4
          ovaloval:com.redhat.rhsa:tst:20172423003
        • commentlog4j-javadoc is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172423004
      • AND
        • commentlog4j is earlier than 0:1.2.17-16.el7_4
          ovaloval:com.redhat.rhsa:tst:20172423005
        • commentlog4j is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172423006
rhsa
idRHSA-2017:2423
released2017-08-07
severityImportant
titleRHSA-2017:2423: log4j security update (Important)
rpms
  • log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el6
  • log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el7
  • tomcat-native-0:1.2.8-10.redhat_10.ep7.el6
  • tomcat-native-0:1.2.8-10.redhat_10.ep7.el7
  • tomcat-native-debuginfo-0:1.2.8-10.redhat_10.ep7.el6
  • tomcat-native-debuginfo-0:1.2.8-10.redhat_10.ep7.el7
  • tomcat7-0:7.0.70-22.ep7.el6
  • tomcat7-0:7.0.70-22.ep7.el7
  • tomcat7-admin-webapps-0:7.0.70-22.ep7.el6
  • tomcat7-admin-webapps-0:7.0.70-22.ep7.el7
  • tomcat7-docs-webapp-0:7.0.70-22.ep7.el6
  • tomcat7-docs-webapp-0:7.0.70-22.ep7.el7
  • tomcat7-el-2.2-api-0:7.0.70-22.ep7.el6
  • tomcat7-el-2.2-api-0:7.0.70-22.ep7.el7
  • tomcat7-javadoc-0:7.0.70-22.ep7.el6
  • tomcat7-javadoc-0:7.0.70-22.ep7.el7
  • tomcat7-jsp-2.2-api-0:7.0.70-22.ep7.el6
  • tomcat7-jsp-2.2-api-0:7.0.70-22.ep7.el7
  • tomcat7-jsvc-0:7.0.70-22.ep7.el6
  • tomcat7-jsvc-0:7.0.70-22.ep7.el7
  • tomcat7-lib-0:7.0.70-22.ep7.el6
  • tomcat7-lib-0:7.0.70-22.ep7.el7
  • tomcat7-log4j-0:7.0.70-22.ep7.el6
  • tomcat7-log4j-0:7.0.70-22.ep7.el7
  • tomcat7-selinux-0:7.0.70-22.ep7.el6
  • tomcat7-selinux-0:7.0.70-22.ep7.el7
  • tomcat7-servlet-3.0-api-0:7.0.70-22.ep7.el6
  • tomcat7-servlet-3.0-api-0:7.0.70-22.ep7.el7
  • tomcat7-webapps-0:7.0.70-22.ep7.el6
  • tomcat7-webapps-0:7.0.70-22.ep7.el7
  • tomcat8-0:8.0.36-24.ep7.el6
  • tomcat8-0:8.0.36-24.ep7.el7
  • tomcat8-admin-webapps-0:8.0.36-24.ep7.el6
  • tomcat8-admin-webapps-0:8.0.36-24.ep7.el7
  • tomcat8-docs-webapp-0:8.0.36-24.ep7.el6
  • tomcat8-docs-webapp-0:8.0.36-24.ep7.el7
  • tomcat8-el-2.2-api-0:8.0.36-24.ep7.el6
  • tomcat8-el-2.2-api-0:8.0.36-24.ep7.el7
  • tomcat8-javadoc-0:8.0.36-24.ep7.el6
  • tomcat8-javadoc-0:8.0.36-24.ep7.el7
  • tomcat8-jsp-2.3-api-0:8.0.36-24.ep7.el6
  • tomcat8-jsp-2.3-api-0:8.0.36-24.ep7.el7
  • tomcat8-jsvc-0:8.0.36-24.ep7.el6
  • tomcat8-jsvc-0:8.0.36-24.ep7.el7
  • tomcat8-lib-0:8.0.36-24.ep7.el6
  • tomcat8-lib-0:8.0.36-24.ep7.el7
  • tomcat8-log4j-0:8.0.36-24.ep7.el6
  • tomcat8-log4j-0:8.0.36-24.ep7.el7
  • tomcat8-selinux-0:8.0.36-24.ep7.el6
  • tomcat8-selinux-0:8.0.36-24.ep7.el7
  • tomcat8-servlet-3.1-api-0:8.0.36-24.ep7.el6
  • tomcat8-servlet-3.1-api-0:8.0.36-24.ep7.el7
  • tomcat8-webapps-0:8.0.36-24.ep7.el6
  • tomcat8-webapps-0:8.0.36-24.ep7.el7
  • log4j-0:1.2.17-16.el7_4
  • log4j-javadoc-0:1.2.17-16.el7_4
  • log4j-manual-0:1.2.17-16.el7_4
  • jboss-ec2-eap-0:7.5.17-1.Final_redhat_4.ep6.el6
  • jboss-ec2-eap-samples-0:7.5.17-1.Final_redhat_4.ep6.el6
  • eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6
  • eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7
  • eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6
  • eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7
  • log4j-0:1.2.14-19.patch_01.ep5.el5
  • log4j-0:1.2.14-19.patch_01.ep5.el6

References