漏洞类别:RedHat
漏洞等级: 
漏洞信息
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
Affected Products
JBoss Enterprise Application Platform 5 for RHEL 6 x86_64
JBoss Enterprise Application Platform 5 for RHEL 6 i386
JBoss Enterprise Application Platform 5 for RHEL 5 x86_64
JBoss Enterprise Application Platform 5 for RHEL 5 i386
漏洞危害
An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.
解决方案
Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.
Refer to Red Hat security advisory RHSA-2017:3399 to address this issue and obtain more information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论