The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Apache log4j: code execution via Socket Server Deserialization

Synthesis of the vulnerability

An attacker can use a vulnerability via Socket Server Deserialization of Apache log4j, in order to run code.
Severity of this threat: 3/4.
Creation date: 18/04/2017.
Références of this weakness: cpuapr2018, cpuapr2019, cpujan2018, cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2017-5645, ESA-2017-05, FEDORA-2017-2ccfbd650a, FEDORA-2017-511ebfa8a3, FEDORA-2017-7e0ff7f73a, FEDORA-2017-8348115acd, FEDORA-2017-b8358cda24, JSA10838, RHSA-2017:1801-01, RHSA-2017:1802-01, RHSA-2017:2423-01, RHSA-2017:2633-01, RHSA-2017:2635-01, RHSA-2017:2636-01, RHSA-2017:2637-01, RHSA-2017:2638-01, RHSA-2017:2808-01, RHSA-2017:2809-01, RHSA-2017:2810-01, RHSA-2017:2811-01, RHSA-2017:2888-01, RHSA-2017:2889-01, RHSA-2017:3244-01, RHSA-2017:3399-01, RHSA-2017:3400-01, VIGILANCE-VUL-22460.

Description of the vulnerability

An attacker can use a vulnerability via Socket Server Deserialization of Apache log4j, in order to run code.
Full Vigil@nce bulletin... (Free trial)

This cybersecurity vulnerability impacts software or systems such as log4j, Fedora, Junos Space, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Server, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Percona Server, Puppet, RHEL, JBoss EAP by Red Hat.

Our Vigil@nce team determined that the severity of this vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this weakness alert.

Solutions for this threat

Apache log4j: version 2.8.1.
The version 2.8.1 is fixed:
  https://logging.apache.org/log4j/2.x/
If Java 6 is used, the patch VIGILANCE-SOL-52018 has to be used.

Apache log4j: patch for Socket Server Deserialization.
A patch is indicated in information sources.

Continuous Delivery for Puppet Enterprise: version 2.18.2.
The version 2.18.2 is fixed:
  https://puppet.com/

Elastic Logstash: patch for Log4J.
The plugin logstash-input-log4j 3.0.5 is fixed.

Fedora: new log4j packages.
New packages are available:
  Fedora 24: log4j 2.5-3.fc24, log4j12 1.2.17-19.fc24
  Fedora 25: log4j 2.5-5.fc25, log4j12 1.2.17-19.fc25
  Fedora 26: log4j12 1.2.17-19.fc26

Junos Space: fixed versions.
Fixed versions are indicated in information sources.

MariaDB: version 10.0.36.
The version 10.0.36 is fixed:
  https://mariadb.com/downloads

MariaDB: version 5.5.61.
The version 5.5.61 is fixed:
  https://mariadb.com/

Oracle Communications: CPU of April 2018.
A Critical Patch Update is available:
  http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Oracle Communications: CPU of April 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2518758.1
  https://support.oracle.com/rs?type=doc&id=2518763.1
  https://support.oracle.com/rs?type=doc&id=2522151.1
  https://support.oracle.com/rs?type=doc&id=2519787.1
  https://support.oracle.com/rs?type=doc&id=2522126.1
  https://support.oracle.com/rs?type=doc&id=2522123.1
  https://support.oracle.com/rs?type=doc&id=2518753.1
  https://support.oracle.com/rs?type=doc&id=2522121.1
  https://support.oracle.com/rs?type=doc&id=2528862.1
  https://support.oracle.com/rs?type=doc&id=2518754.1

Oracle Communications: CPU of January 2018.
A Critical Patch Update is available:
  http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Oracle Communications: CPU of January 2019.
A Critical Patch Update is available:
  https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Oracle Communications: CPU of July 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2559239.1
  https://support.oracle.com/rs?type=doc&id=2563691.1
  https://support.oracle.com/rs?type=doc&id=2559240.1
  https://support.oracle.com/rs?type=doc&id=2559722.1
  https://support.oracle.com/rs?type=doc&id=2559225.1
  https://support.oracle.com/rs?type=doc&id=2559721.1
  https://support.oracle.com/rs?type=doc&id=2559256.1
  https://support.oracle.com/rs?type=doc&id=2559242.1
  https://support.oracle.com/rs?type=doc&id=2559243.1
  https://support.oracle.com/rs?type=doc&id=2559648.1

Oracle Communications: CPU of Octobre 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2451363.1
  https://support.oracle.com/rs?type=doc&id=2450339.1
  https://support.oracle.com/rs?type=doc&id=2450354.1
  https://support.oracle.com/rs?type=doc&id=2450340.1
  https://support.oracle.com/rs?type=doc&id=2452772.1
  https://support.oracle.com/rs?type=doc&id=2451007.1

Oracle Fusion Middleware: CPU of April 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2353306.1

Oracle Fusion Middleware: CPU of April 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2498664.1

Oracle Fusion Middleware: CPU of January 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2325393.1

Oracle Fusion Middleware: CPU of January 2019.
A Critical Patch Update is available:
  https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Oracle Fusion Middleware: CPU of July 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2394520.1

Oracle Fusion Middleware: CPU of July 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2534806.1

Oracle Fusion Middleware: CPU of Octobre 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2433477.1

Oracle MySQL: version 5.5.61.
The version 5.5.61 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.6.41.
The version 5.6.41 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.7.23.
The version 5.7.23 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 8.0.12.
The version 8.0.12 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Red Hat JBoss BPM Suite: version 6.4.6.
The version 6.4.6 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4

Red Hat JBoss BRMS: version 6.4.6.
The version 6.4.6 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4

Red Hat JBoss Data Grid: version 7.1.1.
The version 7.1.1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions&version=7.1.1

Red Hat JBoss Enterprise Application Platform 5.2: patch for log4j.
A patch is indicated in information sources.

Red Hat JBoss Enterprise Application Platform: version 6.4.17.
The version 6.4.17 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4

Red Hat JBoss Enterprise Application Platform: version 7.0.8.
The version 7.0.8 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.0

Red Hat JBoss Web Server: version 3.1 SP1.
The version 3.1 SP1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1

RHEL 7.4: new log4j packages.
New packages are available:
  RHEL 7: log4j 1.2.17-16.el7_4
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides an application vulnerability alert. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.