Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-7370

log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Not A Problem
    • 5.15.10, 5.15.11
    • None
    • Broker
    • None

    Description

      Sonatype Nexus auditor is reporting following log4j related security issue on Apache ActiveMQ 5.15.10 and 5.15.11. Recommendation is to use org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. Can you please check if Apache ActiveMQ is vulnerable and if so upgrade based on the recommendation?

      Description from CVE
      Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
      Explanation

      The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to Deserialization of Untrusted Data. The configureHierarchy and genericHierarchy methods in SocketServer.class do not verify if the file at a given file path contains any untrusted objects prior to deserializing them. A remote attacker can exploit this vulnerability by providing a path to crafted files, which result in arbitrary code execution when deserialized.

      NOTE: Starting with version(s) 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to but excluding 2.8.2.
      Detection

      The application is vulnerable by using this component.
      Recommendation

      Starting with version(s) 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to but excluding 2.8.2. Therefore, it is recommended to upgrade to org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. For log4j:log4j 1.x versions however, a fix does not exist.
      Root Cause
      activemq-all-5.15.10.jar <= org/apache/log4j/net/SocketServer.class : (,)
      Advisories
      Project: https://issues.apache.org/jira/browse/LOG4J2-1863
      Project: https://lists.apache.org/thread.html/84cc4266238e057b95eb95d
      Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1785616
      CVSS Details
      Sonatype CVSS 3: 9.8
      CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. AMQ-7372 [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]

          • Major - Major loss of function.
          • Resolved
          relates to

          Task - A task that needs to be done. AMQ-7426 Upgrade to log4j2

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              jbonofre Jean-Baptiste Onofré
              arajwade Abhijit Rajwade
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: