{
  "threat_severity" : "Important",
  "public_date" : "2019-12-20T00:00:00Z",
  "bugzilla" : {
    "description" : "log4j: deserialization of untrusted data in SocketServer",
    "id" : "1785616",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1785616"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.", "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget." ],
  "statement" : "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6 Extended Lifecycle Support",
    "release_date" : "2022-06-15T00:00:00Z",
    "advisory" : "RHSA-2022:5053",
    "cpe" : "cpe:/o:redhat:rhel_els:6",
    "package" : "log4j-0:1.2.14-6.7.el6_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2017-08-07T00:00:00Z",
    "advisory" : "RHSA-2017:2423",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "log4j-0:1.2.17-16.el7_4"
  }, {
    "product_name" : "Red Hat Fuse 7.3.1",
    "release_date" : "2019-06-18T00:00:00Z",
    "advisory" : "RHSA-2019:1545",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss BPMS 6.4",
    "release_date" : "2017-10-12T00:00:00Z",
    "advisory" : "RHSA-2017:2889",
    "cpe" : "cpe:/a:redhat:jboss_bpms:6.4"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6.4",
    "release_date" : "2017-10-12T00:00:00Z",
    "advisory" : "RHSA-2017:2888",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7.1",
    "release_date" : "2017-11-16T00:00:00Z",
    "advisory" : "RHSA-2017:3244",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7.1"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6.4.8.SP1",
    "release_date" : "2022-02-09T00:00:00Z",
    "advisory" : "RHSA-2022:0497",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.4"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6.4.8.SP2",
    "release_date" : "2022-02-10T00:00:00Z",
    "advisory" : "RHSA-2022:0507",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.4"
  }, {
    "product_name" : "Red Hat JBoss EAP 7",
    "release_date" : "2017-09-26T00:00:00Z",
    "advisory" : "RHSA-2017:2810",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5.2 security update",
    "release_date" : "2017-12-07T00:00:00Z",
    "advisory" : "RHSA-2017:3400",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5",
    "release_date" : "2017-12-07T00:00:00Z",
    "advisory" : "RHSA-2017:3399",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5",
    "package" : "log4j-0:1.2.14-19.patch_01.ep5.el5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6",
    "release_date" : "2017-12-07T00:00:00Z",
    "advisory" : "RHSA-2017:3399",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6",
    "package" : "log4j-0:1.2.14-19.patch_01.ep5.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4",
    "release_date" : "2017-09-05T00:00:00Z",
    "advisory" : "RHSA-2017:2633",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6.4"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6",
    "release_date" : "2017-09-05T00:00:00Z",
    "advisory" : "RHSA-2017:2638",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6",
    "package" : "jboss-ec2-eap-0:7.5.17-1.Final_redhat_4.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6",
    "release_date" : "2017-09-26T00:00:00Z",
    "advisory" : "RHSA-2017:2811",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6",
    "package" : "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7",
    "release_date" : "2017-09-26T00:00:00Z",
    "advisory" : "RHSA-2017:2811",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7",
    "package" : "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3.1",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1802",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat7-0:7.0.70-22.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat8-0:8.0.36-24.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat-native-0:1.2.8-10.redhat_10.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat7-0:7.0.70-22.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat8-0:8.0.36-24.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat-native-0:1.2.8-10.redhat_10.ep7.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat AMQ Broker 7",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat BPM Suite 6",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "parfait:0.5/log4j12",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "log4j-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Integration Data Virtualisation Operator",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Out of support scope",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5",
    "fix_state" : "Not affected",
    "package_name" : "log4j-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "log4j-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "log4j-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5",
    "fix_state" : "Out of support scope",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5"
  }, {
    "product_name" : "Red Hat Mobile Application Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:mobile_application_platform:4"
  }, {
    "product_name" : "Red Hat Mobile Application Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "log4j-core",
    "cpe" : "cpe:/a:redhat:mobile_application_platform:4"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Not affected",
    "package_name" : "log4j-core",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "nodejs-log4js",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Satellite 5",
    "fix_state" : "Not affected",
    "package_name" : "nutch",
    "cpe" : "cpe:/a:redhat:network_satellite:5"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "log4j-over-slf4j",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-java-common-log4j",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-maven35-log4j12",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-maven36-log4j12",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-17571\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-17571" ],
  "name" : "CVE-2019-17571",
  "mitigation" : {
    "value" : "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout",
    "lang" : "en:us"
  },
  "csaw" : false
}