CVE-2017-5645

Impact:
Important
Public Date:
2017-04-02
CWE:
CWE-502
Bugzilla:
1443635: CVE-2017-5645 log4j: Socket receiver deserialization vulnerability
It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.

Find out more about CVE-2017-5645 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 8.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (log4j) RHSA-2017:3399 2017-12-07
Red Hat JBoss EAP 5 RHSA-2017:3400 2017-12-07
Red Hat Enterprise Linux 7 (log4j) RHSA-2017:2423 2017-08-07
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2017:2635 2017-09-05
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server RHSA-2017:2809 2017-09-26
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2017:2636 2017-09-05
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2017:2638 2017-09-05
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2017:2633 2017-09-05
Red Hat JBoss BPMS 6.4 RHSA-2017:2889 2017-10-12
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2017:2811 2017-09-26
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-java-common-log4j) RHSA-2017:1417 2017-06-08
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2017:2637 2017-09-05
Red Hat JBoss EAP 7 RHSA-2017:2810 2017-09-26
Red Hat JBoss BRMS 6.4 RHSA-2017:2888 2017-10-12
Red Hat JBoss Web Server 3.1 RHSA-2017:1802 2017-07-25
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-java-common-log4j) RHSA-2017:1417 2017-06-08
Red Hat JBoss Data Grid 7.1 RHSA-2017:3244 2017-11-16
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server RHSA-2017:2808 2017-09-26
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2017:2811 2017-09-26
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (log4j) RHSA-2017:3399 2017-12-07
Red Hat JBoss Web Server 3.1 for RHEL 6 RHSA-2017:1801 2017-07-25
Red Hat JBoss Web Server 3.1 for RHEL 7 RHSA-2017:1801 2017-07-25

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 log4j Not affected
Red Hat Satellite 5 nutch Not affected
Red Hat OpenShift Enterprise 3 log4j Not affected
Red Hat Mobile Application Platform On-Premise 4 log4j Not affected
Red Hat JBoss Operations Network 3 log4j Not affected
Red Hat JBoss Fuse Service Works 6 log4j Will not fix
Red Hat JBoss Fuse 6 log4j Affected
Red Hat JBoss Enterprise SOA Platform 5 log4j Will not fix
Red Hat JBoss EWS 2 log4j Will not fix
Red Hat JBoss Data Virtualization 6 log4j Not affected
Red Hat JBoss BRMS 5 log4j Will not fix
Red Hat JBoss A-MQ 6 log4j Affected
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 log4j Not affected
Red Hat Enterprise Linux 6 log4j Will not fix
Red Hat Enterprise Linux 5 log4j Will not fix
RHEV Manager 3 jasperreports-server-pro Will not fix
Last Modified