The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Apache log4j

vulnerability announce 23902

Apache Log4j: security improvement via SerializedLayout/JsonLayout

Synthesis of the vulnerability

The security of Apache Log4j was improved via SerializedLayout/JsonLayout.
Impacted products: log4j.
Severity: 1/4.
Consequences: no consequence.
Provenance: internet client.
Creation date: 22/09/2017.
Identifiers: VIGILANCE-VUL-23902.

Description of the vulnerability

This bulletin is about a security improvement.

It does not describe a vulnerability.

The security of Apache Log4j was therefore improved via SerializedLayout/JsonLayout.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 23698

Apache Log4j: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to Apache Log4j, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: log4j.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 01/09/2017.
Identifiers: VIGILANCE-VUL-23698.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the Apache Log4j parser allows external entities.

An attacker can therefore transmit malicious XML data to Apache Log4j, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-5645

Apache log4j: code execution via Socket Server Deserialization

Synthesis of the vulnerability

An attacker can use a vulnerability via Socket Server Deserialization of Apache log4j, in order to run code.
Impacted products: log4j, Fedora, Junos Space, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Server, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Percona Server, RHEL, JBoss EAP by Red Hat.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Creation date: 18/04/2017.
Identifiers: cpuapr2018, cpuapr2019, cpujan2018, cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2017-5645, ESA-2017-05, FEDORA-2017-2ccfbd650a, FEDORA-2017-511ebfa8a3, FEDORA-2017-7e0ff7f73a, FEDORA-2017-8348115acd, FEDORA-2017-b8358cda24, JSA10838, RHSA-2017:1801-01, RHSA-2017:1802-01, RHSA-2017:2423-01, RHSA-2017:2633-01, RHSA-2017:2635-01, RHSA-2017:2636-01, RHSA-2017:2637-01, RHSA-2017:2638-01, RHSA-2017:2808-01, RHSA-2017:2809-01, RHSA-2017:2810-01, RHSA-2017:2811-01, RHSA-2017:2888-01, RHSA-2017:2889-01, RHSA-2017:3244-01, RHSA-2017:3399-01, RHSA-2017:3400-01, VIGILANCE-VUL-22460.

Description of the vulnerability

An attacker can use a vulnerability via Socket Server Deserialization of Apache log4j, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 11659

Apache log4j: memory leak via MDC and ThreadLocal

Synthesis of the vulnerability

When an application uses an org.apache.log4j.MDC object, an attacker can call it to generate a memory leak, leading to a denial of service.
Impacted products: log4j.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 29/05/2012.
Identifiers: 50486, VIGILANCE-VUL-11659.

Description of the vulnerability

The org.apache.log4j.MDC (Mapped Diagnostic Context) class is used to process logs coming from different sources, in a multi-thread environment.

The MDC.remove() method deletes the context. However, it does not call the ThreadLocalMap.remove() method to free local variables of ThreadLocal.

When an application uses an org.apache.log4j.MDC object, an attacker can therefore call it to generate a memory leak, leading to a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Apache log4j: