Red Hat Product Errata RHSA-2017:1417 - Security Advisory
Issued:
2017-06-08
Updated:
2017-06-08

RHSA-2017:1417 - Security Advisory

Synopsis

Important: rh-java-common-log4j security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for rh-java-common-log4j is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Log4j is a tool to help the programmer output log statements to a variety of output targets.

Security Fix(es):

  • It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64

Fixes

  • BZ - 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7

SRPM
rh-java-common-log4j-1.2.17-15.15.el7.src.rpm SHA-256: 469e8f8a62287040fe823f83e33783a1c15ad8483fc33d9bcf59e411c5e61df2
x86_64
rh-java-common-log4j-1.2.17-15.15.el7.noarch.rpm SHA-256: b4382e225d3f659496f7c85fe7d3b7307f12f9a45ffa302e461d07720c4a7770
rh-java-common-log4j-javadoc-1.2.17-15.15.el7.noarch.rpm SHA-256: 558613da84ae87762aba5a1a9905e41d8bbd5a4c0e70ef066814522c6610de0c
rh-java-common-log4j-manual-1.2.17-15.15.el7.noarch.rpm SHA-256: 98266f4b62d7e0bde8a2505be620c88a57f8b3e4c68505a1b0274af7f6c2e655

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6

SRPM
rh-java-common-log4j-1.2.17-15.15.el7.src.rpm SHA-256: 469e8f8a62287040fe823f83e33783a1c15ad8483fc33d9bcf59e411c5e61df2
x86_64
rh-java-common-log4j-1.2.17-15.15.el7.noarch.rpm SHA-256: b4382e225d3f659496f7c85fe7d3b7307f12f9a45ffa302e461d07720c4a7770
rh-java-common-log4j-javadoc-1.2.17-15.15.el7.noarch.rpm SHA-256: 558613da84ae87762aba5a1a9905e41d8bbd5a4c0e70ef066814522c6610de0c
rh-java-common-log4j-manual-1.2.17-15.15.el7.noarch.rpm SHA-256: 98266f4b62d7e0bde8a2505be620c88a57f8b3e4c68505a1b0274af7f6c2e655

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5

SRPM
rh-java-common-log4j-1.2.17-15.15.el7.src.rpm SHA-256: 469e8f8a62287040fe823f83e33783a1c15ad8483fc33d9bcf59e411c5e61df2
x86_64
rh-java-common-log4j-1.2.17-15.15.el7.noarch.rpm SHA-256: b4382e225d3f659496f7c85fe7d3b7307f12f9a45ffa302e461d07720c4a7770
rh-java-common-log4j-javadoc-1.2.17-15.15.el7.noarch.rpm SHA-256: 558613da84ae87762aba5a1a9905e41d8bbd5a4c0e70ef066814522c6610de0c
rh-java-common-log4j-manual-1.2.17-15.15.el7.noarch.rpm SHA-256: 98266f4b62d7e0bde8a2505be620c88a57f8b3e4c68505a1b0274af7f6c2e655

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4

SRPM
rh-java-common-log4j-1.2.17-15.15.el7.src.rpm SHA-256: 469e8f8a62287040fe823f83e33783a1c15ad8483fc33d9bcf59e411c5e61df2
x86_64
rh-java-common-log4j-1.2.17-15.15.el7.noarch.rpm SHA-256: b4382e225d3f659496f7c85fe7d3b7307f12f9a45ffa302e461d07720c4a7770
rh-java-common-log4j-javadoc-1.2.17-15.15.el7.noarch.rpm SHA-256: 558613da84ae87762aba5a1a9905e41d8bbd5a4c0e70ef066814522c6610de0c
rh-java-common-log4j-manual-1.2.17-15.15.el7.noarch.rpm SHA-256: 98266f4b62d7e0bde8a2505be620c88a57f8b3e4c68505a1b0274af7f6c2e655

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3

SRPM
rh-java-common-log4j-1.2.17-15.15.el7.src.rpm SHA-256: 469e8f8a62287040fe823f83e33783a1c15ad8483fc33d9bcf59e411c5e61df2
x86_64
rh-java-common-log4j-1.2.17-15.15.el7.noarch.rpm SHA-256: b4382e225d3f659496f7c85fe7d3b7307f12f9a45ffa302e461d07720c4a7770
rh-java-common-log4j-javadoc-1.2.17-15.15.el7.noarch.rpm SHA-256: 558613da84ae87762aba5a1a9905e41d8bbd5a4c0e70ef066814522c6610de0c
rh-java-common-log4j-manual-1.2.17-15.15.el7.noarch.rpm SHA-256: 98266f4b62d7e0bde8a2505be620c88a57f8b3e4c68505a1b0274af7f6c2e655

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM
rh-java-common-log4j-1.2.17-15.15.el7.src.rpm SHA-256: 469e8f8a62287040fe823f83e33783a1c15ad8483fc33d9bcf59e411c5e61df2
x86_64
rh-java-common-log4j-1.2.17-15.15.el7.noarch.rpm SHA-256: b4382e225d3f659496f7c85fe7d3b7307f12f9a45ffa302e461d07720c4a7770
rh-java-common-log4j-javadoc-1.2.17-15.15.el7.noarch.rpm SHA-256: 558613da84ae87762aba5a1a9905e41d8bbd5a4c0e70ef066814522c6610de0c
rh-java-common-log4j-manual-1.2.17-15.15.el7.noarch.rpm SHA-256: 98266f4b62d7e0bde8a2505be620c88a57f8b3e4c68505a1b0274af7f6c2e655

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7

SRPM
rh-java-common-log4j-1.2.17-15.15.el6.src.rpm SHA-256: a954b3d7dd77e343770be9f04fd8c411aa801e2b0c8e7708b1853ec063e37e0d
x86_64
rh-java-common-log4j-1.2.17-15.15.el6.noarch.rpm SHA-256: eb39bf2312c41537bb2ac5ed382885fdfe1e2aa2741cbc61c6109fcbae945801
rh-java-common-log4j-javadoc-1.2.17-15.15.el6.noarch.rpm SHA-256: 230ea06c5552eaf6ee22af39cfd0d2fd275f6e4596b4258a397b464bb97837a5
rh-java-common-log4j-manual-1.2.17-15.15.el6.noarch.rpm SHA-256: c7350890268b31e81b25b8d3aae1113dad1977090b15d16f8f001e7f068e11aa

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6

SRPM
rh-java-common-log4j-1.2.17-15.15.el6.src.rpm SHA-256: a954b3d7dd77e343770be9f04fd8c411aa801e2b0c8e7708b1853ec063e37e0d
x86_64
rh-java-common-log4j-1.2.17-15.15.el6.noarch.rpm SHA-256: eb39bf2312c41537bb2ac5ed382885fdfe1e2aa2741cbc61c6109fcbae945801
rh-java-common-log4j-javadoc-1.2.17-15.15.el6.noarch.rpm SHA-256: 230ea06c5552eaf6ee22af39cfd0d2fd275f6e4596b4258a397b464bb97837a5
rh-java-common-log4j-manual-1.2.17-15.15.el6.noarch.rpm SHA-256: c7350890268b31e81b25b8d3aae1113dad1977090b15d16f8f001e7f068e11aa

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM
rh-java-common-log4j-1.2.17-15.15.el7.src.rpm SHA-256: 469e8f8a62287040fe823f83e33783a1c15ad8483fc33d9bcf59e411c5e61df2
x86_64
rh-java-common-log4j-1.2.17-15.15.el7.noarch.rpm SHA-256: b4382e225d3f659496f7c85fe7d3b7307f12f9a45ffa302e461d07720c4a7770
rh-java-common-log4j-javadoc-1.2.17-15.15.el7.noarch.rpm SHA-256: 558613da84ae87762aba5a1a9905e41d8bbd5a4c0e70ef066814522c6610de0c
rh-java-common-log4j-manual-1.2.17-15.15.el7.noarch.rpm SHA-256: 98266f4b62d7e0bde8a2505be620c88a57f8b3e4c68505a1b0274af7f6c2e655

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6

SRPM
rh-java-common-log4j-1.2.17-15.15.el6.src.rpm SHA-256: a954b3d7dd77e343770be9f04fd8c411aa801e2b0c8e7708b1853ec063e37e0d
x86_64
rh-java-common-log4j-1.2.17-15.15.el6.noarch.rpm SHA-256: eb39bf2312c41537bb2ac5ed382885fdfe1e2aa2741cbc61c6109fcbae945801
rh-java-common-log4j-javadoc-1.2.17-15.15.el6.noarch.rpm SHA-256: 230ea06c5552eaf6ee22af39cfd0d2fd275f6e4596b4258a397b464bb97837a5
rh-java-common-log4j-manual-1.2.17-15.15.el6.noarch.rpm SHA-256: c7350890268b31e81b25b8d3aae1113dad1977090b15d16f8f001e7f068e11aa

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.