-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: rh-java-common-log4j security update Advisory ID: RHSA-2017:1417-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2017:1417 Issue date: 2017-06-08 CVE Names: CVE-2017-5645 ===================================================================== 1. Summary: An update for rh-java-common-log4j is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch 3. Description: Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es): * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: rh-java-common-log4j-1.2.17-15.15.el6.src.rpm noarch: rh-java-common-log4j-1.2.17-15.15.el6.noarch.rpm rh-java-common-log4j-javadoc-1.2.17-15.15.el6.noarch.rpm rh-java-common-log4j-manual-1.2.17-15.15.el6.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7): Source: rh-java-common-log4j-1.2.17-15.15.el6.src.rpm noarch: rh-java-common-log4j-1.2.17-15.15.el6.noarch.rpm rh-java-common-log4j-javadoc-1.2.17-15.15.el6.noarch.rpm rh-java-common-log4j-manual-1.2.17-15.15.el6.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: rh-java-common-log4j-1.2.17-15.15.el6.src.rpm noarch: rh-java-common-log4j-1.2.17-15.15.el6.noarch.rpm rh-java-common-log4j-javadoc-1.2.17-15.15.el6.noarch.rpm rh-java-common-log4j-manual-1.2.17-15.15.el6.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-java-common-log4j-1.2.17-15.15.el7.src.rpm noarch: rh-java-common-log4j-1.2.17-15.15.el7.noarch.rpm rh-java-common-log4j-javadoc-1.2.17-15.15.el7.noarch.rpm rh-java-common-log4j-manual-1.2.17-15.15.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3): Source: rh-java-common-log4j-1.2.17-15.15.el7.src.rpm noarch: rh-java-common-log4j-1.2.17-15.15.el7.noarch.rpm rh-java-common-log4j-javadoc-1.2.17-15.15.el7.noarch.rpm rh-java-common-log4j-manual-1.2.17-15.15.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-java-common-log4j-1.2.17-15.15.el7.src.rpm noarch: rh-java-common-log4j-1.2.17-15.15.el7.noarch.rpm rh-java-common-log4j-javadoc-1.2.17-15.15.el7.noarch.rpm rh-java-common-log4j-manual-1.2.17-15.15.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-5645 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZOQMQXlSAg2UNWIIRAgwvAJ9zqVY6yvhkuO8Uqdtyu86+9P1VIgCgtBhf ceYEsokMPo3LCY/99DiysrI= =wZ5c -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce