Stay Secure with the Latest Linux Advisories

security advisorysecurity updateremote code execution

Mageia 8: 2023-0141 moderate: Log4j Remote Code Execution

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. (CVE-2019-17571) . MGASA-2023-0141 - Updated davmail packages fix security vulnerability Publication date: 15 Apr 2023 URL: https://advisories.mageia.org/MGASA-2023-0141.html Type: security Affected Mageia releases: 8 CVE: CVE-2019-17571, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305 Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. (CVE-2019-17571) JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. (CVE-2021-4104) JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. (CVE-2022-23302) By design, the JDBCAppender in Log4j 1.2.x accepts an SQLstatement as a configuration parameter where the values to be inserted are convertersfrom PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. (CVE-2022-23305) References: - https://bugs.mageia.org/show_bug.cgi?id=31708 - https://github.com/mguessan/davmail/blob/master/RELEASE-NOTES.md - https://www.cve.org/CVERecord?id=CVE-2019-17571 - https://www.cve.org/CVERecord?id=CVE-2021-4104 - https://www.cve.org/CVERecord?id=CVE-2022-23302 - https://www.cve.org/CVERecord?id=CVE-2022-23305 SRPMS: - 8/core/davmail-6.1.0-1.mga8 . Revised davmail distributions bolster protection against serious threats linked to Log4j deserialization weaknesses.. Davmail Security, Log4j Exploit, Mageia Update, Deserialization Threats, Remote Code Execution. . Severity: Important. LinuxSecurity.com Team

Apr 15, 2023 •Important Mageia