ID

VAR-201704-1589

CVE

CVE-2017-5645

TITLE

Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability

DESCRIPTION

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. Apache Log4j is prone to remote code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions. Apache Log4j 2.0-alpha1 through 2.8.1 are vulnerable. Apache Log4j is a Java-based open source logging tool developed by the Apache Software Foundation. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Security Fix(es): * bsh2: remote code execution via deserialization (CVE-2016-2510) * log4j: Socket receiver deserialization vulnerability (CVE-2017-5645) * uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code (CVE-2017-15691) * mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258) * thrift: Improper Access Control grants access to files outside the webservers docroot path (CVE-2018-11798) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Installation instructions are available from the Fuse 7.3.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability 1572463 - CVE-2017-15691 uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code 1640615 - CVE-2018-3258 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) 1667188 - CVE-2018-11798 thrift: Improper Access Control grants access to files outside the webservers docroot path 5. (CVE-2017-5645) 4. (CVE-2017-5645) * It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957) 3. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. (CVE-2017-5645) * A vulnerability was discovered in tomcat's handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647) * A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664) * A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648) 3. The References section of this erratum contains a download link (you must log in to download the update). (CVE-2017-7525) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: eap7-jboss-ec2-eap security update Advisory ID: RHSA-2017:2811-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2017:2811 Issue date: 2017-09-26 CVE Names: CVE-2014-9970 CVE-2015-6644 CVE-2017-2582 CVE-2017-5645 CVE-2017-7536 ===================================================================== 1. Summary: An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server - noarch Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server - noarch 3. Description: The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.8. Refer to the JBoss Enterprise Application Platform 7.0.8 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release. (CVE-2017-5645) * A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970) * It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644) * It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582) * It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536) The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat). 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1410481 - CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability 1444015 - CVE-2015-6644 bouncycastle: Information disclosure in GCMBlockCipher 1455566 - CVE-2014-9970 jasypt: Vulnerable to timing attack against the password hash comparison 1465573 - CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-11487 - jboss-ec2-eap for EAP 7.0.8 7. Package List: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server: Source: eap7-jboss-ec2-eap-7.0.8-1.GA_redhat_1.ep7.el6.src.rpm noarch: eap7-jboss-ec2-eap-7.0.8-1.GA_redhat_1.ep7.el6.noarch.rpm eap7-jboss-ec2-eap-samples-7.0.8-1.GA_redhat_1.ep7.el6.noarch.rpm Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server: Source: eap7-jboss-ec2-eap-7.0.8-1.GA_redhat_1.ep7.el7.src.rpm noarch: eap7-jboss-ec2-eap-7.0.8-1.GA_redhat_1.ep7.el7.noarch.rpm eap7-jboss-ec2-eap-samples-7.0.8-1.GA_redhat_1.ep7.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2014-9970 https://access.redhat.com/security/cve/CVE-2015-6644 https://access.redhat.com/security/cve/CVE-2017-2582 https://access.redhat.com/security/cve/CVE-2017-5645 https://access.redhat.com/security/cve/CVE-2017-7536 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/ https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZyqc8XlSAg2UNWIIRAoL2AKCOEos/eTwZdsdU4A789rEF2s4JsACgkci0 I+ZxMFSg7RGnJ094iZyew4A= =eKao -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

arbitrary

EXTERNAL IDS

REFERENCES