CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
98.7%
Issue Overview:
It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget. (CVE-2019-17571)
A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker’s JNDI LDAP endpoint. (CVE-2021-4104)
Affected Packages:
log4j
Issue Correction:
Run yum update log4j to update your system.
New Packages:
noarch:
log4j-manual-1.2.17-16.12.amzn1.noarch
log4j-1.2.17-16.12.amzn1.noarch
log4j-javadoc-1.2.17-16.12.amzn1.noarch
src:
log4j-1.2.17-16.12.amzn1.src
Red Hat: CVE-2017-5645, CVE-2019-17571, CVE-2021-4104
Mitre: CVE-2017-5645, CVE-2019-17571, CVE-2021-4104
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | noarch | log4j-manual | < 1.2.17-16.12.amzn1 | log4j-manual-1.2.17-16.12.amzn1.noarch.rpm |
Amazon Linux | 1 | noarch | log4j | < 1.2.17-16.12.amzn1 | log4j-1.2.17-16.12.amzn1.noarch.rpm |
Amazon Linux | 1 | noarch | log4j-javadoc | < 1.2.17-16.12.amzn1 | log4j-javadoc-1.2.17-16.12.amzn1.noarch.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
98.7%