CVE-2017-5929
It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains.
Find out more about CVE-2017-5929 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 5.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| Attack Vector | Adjacent Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | Low |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss A-MQ 6.3 | RHSA-2017:1832 | 2017-08-10 |
| Red Hat Satellite 6.4 for RHEL 7 | RHSA-2018:2927 | 2018-10-16 |
| Red Hat JBoss BRMS 6.4 | RHSA-2017:1676 | 2017-07-04 |
| Red Hat Satellite 6.4 for RHEL 7 | RHSA-2018:2927 | 2018-10-16 |
| Red Hat JBoss BPMS 6.4 | RHSA-2017:1675 | 2017-07-04 |
| Red Hat JBoss Fuse 6.3 | RHSA-2017:1832 | 2017-08-10 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | logback-core | Will not fix |
| Red Hat Satellite 6 | logback-core | Will not fix |