Lucene search

K
amazonAmazonALAS-2022-1562
HistoryJan 18, 2022 - 8:15 p.m.

Important: log4j

2022-01-1820:15:00
alas.aws.amazon.com
71
log4j
remote logging
deserialization
vulnerability
apache log4j
cve-2017-5645
cve-2019-17571
cve-2021-4104

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.874

Percentile

98.7%

Issue Overview:

It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)

A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget. (CVE-2019-17571)

A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker’s JNDI LDAP endpoint. (CVE-2021-4104)

Affected Packages:

log4j

Issue Correction:
Run yum update log4j to update your system.

New Packages:

noarch:  
    log4j-manual-1.2.17-16.12.amzn1.noarch  
    log4j-1.2.17-16.12.amzn1.noarch  
    log4j-javadoc-1.2.17-16.12.amzn1.noarch  
  
src:  
    log4j-1.2.17-16.12.amzn1.src  

Additional References

Red Hat: CVE-2017-5645, CVE-2019-17571, CVE-2021-4104

Mitre: CVE-2017-5645, CVE-2019-17571, CVE-2021-4104

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.874

Percentile

98.7%