Lucene search

K
centosCentOS ProjectCESA-2017:2423
HistoryAug 31, 2017 - 6:57 p.m.

log4j security update

2017-08-3118:57:53
CentOS Project
lists.centos.org
95

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.874

Percentile

98.7%

CentOS Errata and Security Advisory CESA-2017:2423

Log4j is a tool to help the programmer output log statements to a variety of output targets.

Security Fix(es):

  • It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2017-August/030957.html

Affected packages:
log4j
log4j-javadoc
log4j-manual

Upstream details at:
https://access.redhat.com/errata/RHSA-2017:2423

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.874

Percentile

98.7%