Podatność CVE-2017-5645

Podatność CVE-2017-5645

Publikacja: 2017-04-17

Opis:

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

W naszej bazie, znaleźliśmy następujące noty dla tego CVE:

	Tytuł	Autor	Data
Med.	Apache Log4j socket receiver deserialization vulnerability	Telstra	18.04.2017

Typ:

CWE-502

(Deserialization of Untrusted Data)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Ogólna skala CVSS	Znaczenie	Łatwość wykorzystania
7.5/10	6.4/10	10/10

Wymagany dostęp	Złożoność ataku	Autoryzacja
Zdalny	Niska	Nie wymagana
Wpływ na poufność	Wpływ na integralność	Wpływ na dostępność
Częściowy	Częściowy	Częściowy

Affected software
Redhat -> Enterprise linux
Redhat -> Enterprise linux desktop
Redhat -> Enterprise linux server
Redhat -> Enterprise linux server aus
Redhat -> Enterprise linux server eus
Redhat -> Enterprise linux server tus
Redhat -> Enterprise linux workstation
Oracle -> Configuration manager
Oracle -> Identity management suite
Oracle -> Soa suite
Oracle -> Enterprise data quality
Oracle -> Insurance calculation engine
Oracle -> Tape library acsls
Oracle -> Enterprise manager base platform
Oracle -> Insurance policy administration
Oracle -> Utilities work and asset management
Oracle -> Enterprise manager for fusion middleware
Oracle -> Insurance rules palette
Oracle -> Enterprise manager for mysql database
Oracle -> Jd edwards enterpriseone tools
Oracle -> Enterprise manager for oracle database
Oracle -> Jdeveloper
Oracle -> Enterprise manager for peoplesoft
Oracle -> Peoplesoft enterprise fin install
Oracle -> Financial services analytical applications infrastructure
Oracle -> Policy automation
Oracle -> Api gateway
Oracle -> Financial services behavior detection platform
Oracle -> Policy automation connector for siebel
Oracle -> Autovue vuelink integration
Oracle -> Financial services hedge management and ifrs valuations
Oracle -> Policy automation for mobile devices
Oracle -> Banking platform
Oracle -> Financial services loan loss forecasting and provisioning
Oracle -> Retail clearance optimization engine
Oracle -> Communications messaging server
Oracle -> Bi publisher
Oracle -> Financial services profitability management
Oracle -> Retail extract transform and load
Oracle -> Mysql enterprise monitor
Oracle -> Communications converged application server - service controller
Oracle -> Flexcube investor servicing
Oracle -> Retail integration bus
Oracle -> Communications online mediation controller
Oracle -> Fusion middleware mapviewer
Oracle -> Retail open commerce platform
Oracle -> Communications pricing design center
Oracle -> Goldengate application adapters
Oracle -> Retail predictive application server
Oracle -> Communications service broker
Oracle -> Identity analytics
Oracle -> Siebel ui framework
Netapp -> Oncommand api services
Netapp -> Oncommand insight
Netapp -> Oncommand workflow automation
Netapp -> Service level manager
Netapp -> Snapcenter
Netapp -> Storage automation store
Apache -> Log4j

Referencje:

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/97702

http://www.securitytracker.com/id/1040200

http://www.securitytracker.com/id/1041294

https://access.redhat.com/errata/RHSA-2017:1417

https://access.redhat.com/errata/RHSA-2017:1801

https://access.redhat.com/errata/RHSA-2017:1802

https://access.redhat.com/errata/RHSA-2017:2423

https://access.redhat.com/errata/RHSA-2017:2633

https://access.redhat.com/errata/RHSA-2017:2635

https://access.redhat.com/errata/RHSA-2017:2636

https://access.redhat.com/errata/RHSA-2017:2637

https://access.redhat.com/errata/RHSA-2017:2638

https://access.redhat.com/errata/RHSA-2017:2808

https://access.redhat.com/errata/RHSA-2017:2809

https://access.redhat.com/errata/RHSA-2017:2810

https://access.redhat.com/errata/RHSA-2017:2811

https://access.redhat.com/errata/RHSA-2017:2888

https://access.redhat.com/errata/RHSA-2017:2889

https://access.redhat.com/errata/RHSA-2017:3244

https://access.redhat.com/errata/RHSA-2017:3399

https://access.redhat.com/errata/RHSA-2017:3400

https://access.redhat.com/errata/RHSA-2019:1545

https://issues.apache.org/jira/browse/LOG4J2-1863

https://security.netapp.com/advisory/ntap-20180726-0002/

https://security.netapp.com/advisory/ntap-20181107-0002/

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Podatność CVE-2017-5645

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

W naszej bazie, znaleźliśmy następujące noty dla tego CVE:

Med.

Apache Log4j socket receiver deserialization vulnerability

CWE-502

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

7.5/10

6.4/10

10/10

Zdalny

Niska

Nie wymagana

Częściowy

Częściowy

Częściowy

Affected software

Referencje: