Amazon Linux 1 Security Advisory: ALAS-2022-1562
Advisory Release Date: 2022-01-18 20:15 Pacific
Advisory Updated Date: 2023-02-17 00:02 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget. (CVE-2019-17571)
A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JNDI LDAP endpoint. (CVE-2021-4104)
Affected Packages:
log4j
Issue Correction:
Run yum update log4j to update your system.
noarch:
log4j-manual-1.2.17-16.12.amzn1.noarch
log4j-1.2.17-16.12.amzn1.noarch
log4j-javadoc-1.2.17-16.12.amzn1.noarch
src:
log4j-1.2.17-16.12.amzn1.src