Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719146 (CVE-2019-17571, CVE-2020-9488) - dev-java/log4j: Multiple vulnerabilities (CVE-2019-17571, CVE-2020-9488)
Summary: dev-java/log4j: Multiple vulnerabilities (CVE-2019-17571, CVE-2020-9488)
Alias: CVE-2019-17571, CVE-2020-9488
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [ebuild cve]
Depends on:
Reported: 2020-04-24 02:08 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-27 18:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-24 02:08:27 UTC
CVE-2019-17571 (
  Included in Log4j 1.2 is a SocketServer class that is vulnerable to
  deserialization of untrusted data which can be exploited to remotely execute
  arbitrary code when combined with a deserialization gadget when listening to
  untrusted network traffic for log data. This affects Log4j versions up to
  1.2 up to 1.2.17.


Note from Debian [0]:
"CVE-2019-17571 correspond to CVE-2017-5645 for apache-log4j2. 1.2.x branch
is end-of-life upstream and does not recieve a fix for this issue. Users
should upgrade to Log4j 2.x."

Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2020-04-27 18:47:01 UTC
CVE-2020-9488 (
  Improper validation of certificate with host mismatch in Apache Log4j SMTP
  appender. This could allow an SMTPS connection to be intercepted by a
  man-in-the-middle attack which could leak any log messages sent through that