Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)

  - In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive     serialized log events from another application, a specially crafted binary payload can be sent that, when     deserialized, can execute arbitrary code. (CVE-2017-5645)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote host is affected by the vulnerability described in GLSA-202402-16 (Apache Log4j: Multiple Vulnerabilities)

  - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data     which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when     listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
    (CVE-2019-17571)

  - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an     SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent     through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 (CVE-2020-9488)

  - A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious     code execution. (CVE-2020-9493)

  - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker     has write access to the Log4j configuration or if the configuration references an LDAP service the     attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing     JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to     CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which     is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2     as it addresses numerous other issues from the previous versions. (CVE-2022-23302)

  - By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the     values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be     included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or     headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue     only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
    Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized     SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2022-23305)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of log4j installed on the remote host is prior to 1.2.17-17. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1739 advisory.

  - In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive     serialized log events from another application, a specially crafted binary payload can be sent that, when     deserialized, can execute arbitrary code. (CVE-2017-5645)

  - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data     which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when     listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
    (CVE-2019-17571)

  - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write     access to the Log4j configuration. The attacker can provide TopicBindingName and     TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result     in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2     when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2021-4104)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5998-1 advisory.

    It was discovered that the SocketServer component of Apache Log4j 1.2 incorrectly handled deserialization.
    An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04     ESM. (CVE-2019-17571)

    It was discovered that the JMSSink component of Apache Log4j 1.2 incorrectly handled deserialization. An     attacker could possibly use this issue to execute arbitrary code. (CVE-2022-23302)

    It was discovered that Apache Log4j 1.2 incorrectly handled certain SQL statements. A remote attacker     could possibly use this issue to perform an SQL injection attack and alter the database. This issue was     only fixed in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2022-23305)

    It was discovered that the Chainsaw component of Apache Log4j 1.2 incorrectly handled deserialization. An     attacker could possibly use this issue to execute arbitrary code. This issue was only fixed in Ubuntu     18.04 LTS and Ubuntu 20.04 LTS. (CVE-2022-23307)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 5.20.3.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.20.3.5 advisory.

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311,     11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible     data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21248)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle     GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a     partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21277, CVE-2022-21366)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1;
    Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read     access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21282, CVE-2022-21296)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle     GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a     partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21283)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13,     17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update,     insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21291, CVE-2022-21305)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13,     17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to     cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21293, CVE-2022-21294, CVE-2022-21340)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1;
    Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to     cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21299)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311,     11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise     Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21341)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: 2D). Supported versions that are affected are Oracle Java SE: 7u321, 8u311; Oracle GraalVM     Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker     with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise     Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial     denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21349)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13,     17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to     cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21360, CVE-2022-21365)

  - AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS     extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. (CVE-2021-45417)

  - Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from     uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread     Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed     in Log4j 2.17.0, 2.12.3, and 2.3.1. (CVE-2021-45105)

  - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to     7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the     server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is     configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)     or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker     knows the relative file path from the storage location used by FileStore to the file the attacker has     control over; then, using a specifically crafted request, the attacker will be able to trigger remote code     execution via deserialization of the file under their control. Note that all of conditions a) to d) must     be true for the attack to succeed. (CVE-2020-9484)

  - The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat     10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local     attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue     is only exploitable when Tomcat is configured to persist sessions using the FileStore. (CVE-2022-23181)

  - A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is     a setuid tool designed to allow unprivileged users to run commands as privileged users according     predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly     and ends trying to execute environment variables as commands. An attacker can leverage this by crafting     environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully     executed the attack can cause a local privilege escalation given unprivileged users administrative rights     on the target machine. (CVE-2021-4034)

  - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of     service. (CVE-2020-25704)

  - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system     crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as     CVE-2021-28950. (CVE-2020-36322)

  - The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to     drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt     mishandles bounds checking. (CVE-2021-42739)

  - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server     could cause a heap overflow (CVE-2021-26691)

  - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP     Server 2.4.48 and earlier. (CVE-2021-34798)

  - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier. (CVE-2021-39275)

  - A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser     (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the     vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and     earlier. (CVE-2021-44790)

  - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data     which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when     listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
    (CVE-2019-17571)

  - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an     SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent     through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 (CVE-2020-9488)

  - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker     has write access to the Log4j configuration or if the configuration references an LDAP service the     attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing     JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to     CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which     is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2     as it addresses numerous other issues from the previous versions. (CVE-2022-23302)

  - By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the     values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be     included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or     headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue     only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
    Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized     SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2022-23305)

  - CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw     V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. (CVE-2022-23307)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:5053 advisory.

    Log4j is a tool to help the programmer output log statements to a variety of output targets.

    Security Fix(es):

    * log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of log4j installed on the remote host is prior to 1.2.17-16.12. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1562 advisory.

  - In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive     serialized log events from another application, a specially crafted binary payload can be sent that, when     deserialized, can execute arbitrary code. (CVE-2017-5645)

  - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data     which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when     listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
    (CVE-2019-17571)

  - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write     access to the Log4j configuration. The attacker can provide TopicBindingName and     TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result     in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2     when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of     life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the     previous versions. (CVE-2021-4104)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the installation of Apache Log4j on the remote host is 1.x and is no longer supported. Log4j reached its end of life prior to 2016. Additionally, Log4j 1.x is affected by multiple vulnerabilities, including :

  - Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether     the objects are allowed or not. This can provide an attack vector that can be exploited. (CVE-2019-17571)

  - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS     connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that     appender. (CVE-2020-9488)

  - JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is     configured to reference an untrusted site or if the site referenced can be accesseed by the attacker.
    (CVE-2022-23302)

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.

The remote SUSE Linux SLES11 host has a package installed that is affected by a vulnerability as referenced in the SUSE- SU-2020:14267-1 advisory.

  - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data     which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when     listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
    (CVE-2019-17571)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-4495-1 advisory.

    It was discovered that Apache Log4j does not properly deserialize

    untrusted data. An attacker could possibly use this issue to remotely execute arbitrary code.
    (CVE-2019-17571)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that the SocketServer class included in apache-log4j1.2, a logging library for java, is vulnerable to deserialization of untrusted data. An attacker can take advantage of this flaw to execute arbitrary code in the context of the logger application by sending a specially crafted log event.

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the CPUApr2020 advisory.

  - A remote code execution vulnerability exists in the Log4j SocketServer class due to unsafe deserialization of     untrusted data. An unauthenticated, remote attacker can exploit this to remotely execute arbitrary code when     combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j     versions up to 1.2 up to 1.2.17. (CVE-2019-17571)

  - An information disclosure vulnerability exists in the Console component. An unauthenticated, remote attacker can     exploit this to gain unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2020-2766)

  - A vulnerability in the WLS Web Services component exists. An authenticated, remote attacker can exploit this via T3     to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle     WebLogic Server. (CVE-2020-2798)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for log4j fixes the following issues :

  - CVE-2019-17571: Fixed a remote code execution by     deserialization of untrusted data in SocketServer     (bsc#1159646).

This update was imported from the SUSE:SLE-15:Update update project.

Included in Log4j 1.2, a logging library for Java, is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.

For Debian 8 'Jessie', this problem has been fixed in version 1.2.17-5+deb8u1.

We recommend that you upgrade your apache-log4j1.2 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.

Security Fix(es) :

* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)

* A vulnerability was discovered in tomcat's handling of pipelined requests when 'Sendfile' was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)

* A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)

* A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648)

The remote Redhat Enterprise Linux 5 / 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2017:3399 advisory.

  - log4j: Socket receiver deserialization vulnerability (CVE-2017-5645)

  - log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2017:2811 advisory.

    The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running     on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).

    With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat     JBoss Enterprise Application Platform 7.0.8.

    Refer to the JBoss Enterprise Application Platform 7.0.8 Release Notes, linked to in the References     section, for information on the most significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * It was found that when using remote logging with log4j socket server the log4j server would deserialize     any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log     event that, during deserialization, would execute arbitrary code in the context of the logger application.
    (CVE-2017-5645)

    * A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password     hash comparison. (CVE-2014-9970)

    * It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious     application to gain access to user's private information. (CVE-2015-6644)

    * It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces     special strings for obtaining attribute values with system property. This could allow an attacker to     determine values of system properties at the attacked system by formatting the SAML request ID field to be     the chosen system property which could be obtained in the InResponseTo field in the response.
    (CVE-2017-2582)

    * It was found that when the security manager's reflective permissions, which allows it to access the     private members of the class, are granted to Hibernate Validator, a potential privilege escalation can     occur. By allowing the calling code to access those private members without the permission an attacker may     be able to validate an invalid instance and access the private member value via     ConstraintViolation#getInvalidValue(). (CVE-2017-7536)

    The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was     discovered by Gunnar Morling (Red Hat).

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).

With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.17.

Security Fix(es) :

* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)

* A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)

* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)

Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.

An update for log4j is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Log4j is a tool to help the programmer output log statements to a variety of output targets.

Security Fix(es) :

* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)

ID	Name	Product	Family	Severity
199052	RHEL 5 : log4j (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
190670	GLSA-202402-16 : Apache Log4j: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
180057	Amazon Linux 2 : log4j (ALAS-2022-1739)	Nessus	Amazon Linux Local Security Checks	critical
173949	Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS : Apache Log4j vulnerabilities (USN-5998-1)	Nessus	Ubuntu Local Security Checks	critical
165276	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.20.3.5)	Nessus	Misc.	critical
164607	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.0.2.6)	Nessus	Misc.	critical
164601	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.20.4)	Nessus	Misc.	critical
164572	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.1.1)	Nessus	Misc.	critical
162230	RHEL 6 : log4j (RHSA-2022:5053)	Nessus	Red Hat Local Security Checks	critical
156871	Amazon Linux AMI : log4j (ALAS-2022-1562)	Nessus	Amazon Linux Local Security Checks	critical
156860	Apache Log4j 1.x Multiple Vulnerabilities	Nessus	Misc.	critical
150590	SUSE SLES11 Security Update : log4j (SUSE-SU-2020:14267-1)	Nessus	SuSE Local Security Checks	critical
140591	Ubuntu 18.04 LTS : Apache Log4j vulnerability (USN-4495-1)	Nessus	Ubuntu Local Security Checks	critical
136675	Debian DSA-4686-1 : apache-log4j1.2 - security update	Nessus	Debian Local Security Checks	critical
135680	Oracle WebLogic Server Multiple Vulnerabilities (Apr 2020 CPU)	Nessus	Misc.	critical
132915	openSUSE Security Update : log4j (openSUSE-2020-51)	Nessus	SuSE Local Security Checks	critical
132777	Debian DLA-2065-1 : apache-log4j1.2 security update	Nessus	Debian Local Security Checks	critical
112177	RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 1 (RHSA-2017:1801)	Nessus	Red Hat Local Security Checks	critical
105209	RHEL 5 / 6 : Red Hat JBoss Enterprise Application Platform 5.2 (RHSA-2017:3399)	Nessus	Red Hat Local Security Checks	critical
103500	RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2017:2811)	Nessus	Red Hat Local Security Checks	critical
103044	RHEL 6 : jboss-ec2-eap (RHSA-2017:2638)	Nessus	Red Hat Local Security Checks	critical
102878	CentOS 7 : log4j (CESA-2017:2423)	Nessus	CentOS Local Security Checks	critical
102348	RHEL 7 : log4j (RHSA-2017:2423)	Nessus	Red Hat Local Security Checks	critical

Detections

Analytics

CVE-2019-17571

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical