Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719146 (CVE-2019-17571, CVE-2020-9488) - dev-java/log4j: Multiple vulnerabilities (CVE-2019-17571, CVE-2020-9488)
Summary: dev-java/log4j: Multiple vulnerabilities (CVE-2019-17571, CVE-2020-9488)
Status: IN_PROGRESS
Alias: CVE-2019-17571, CVE-2020-9488
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-24 02:08 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-27 18:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-24 02:08:27 UTC
CVE-2019-17571 (https://nvd.nist.gov/vuln/detail/CVE-2019-17571):
  Included in Log4j 1.2 is a SocketServer class that is vulnerable to
  deserialization of untrusted data which can be exploited to remotely execute
  arbitrary code when combined with a deserialization gadget when listening to
  untrusted network traffic for log data. This affects Log4j versions up to
  1.2 up to 1.2.17.


Patch: https://src.fedoraproject.org/rpms/log4j12/c/d4c817c458d69dcc629a7271999d178b0dcb7c74?branch=master

Note from Debian [0]:
"CVE-2019-17571 correspond to CVE-2017-5645 for apache-log4j2. 1.2.x branch
is end-of-life upstream and does not recieve a fix for this issue. Users
should upgrade to Log4j 2.x."

[0] https://security-tracker.debian.org/tracker/CVE-2019-17571
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2020-04-27 18:47:01 UTC
CVE-2020-9488 (https://nvd.nist.gov/vuln/detail/CVE-2020-9488):
  Improper validation of certificate with host mismatch in Apache Log4j SMTP
  appender. This could allow an SMTPS connection to be intercepted by a
  man-in-the-middle attack which could leak any log messages sent through that
  appender.