It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains.
Find out more about CVE-2017-5929 from the MITRE CVE dictionary dictionary and NIST NVD.
| CVSS3 Base Score | 5.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| Attack Vector | Adjacent Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | Low |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss A-MQ 6.3 | RHSA-2017:1832 | 2017-08-10 |
| Red Hat Satellite 6.4 for RHEL 7 | RHSA-2018:2927 | 2018-10-16 |
| Red Hat JBoss BRMS 6.4 | RHSA-2017:1676 | 2017-07-04 |
| Red Hat Satellite 6.4 for RHEL 7 | RHSA-2018:2927 | 2018-10-16 |
| Red Hat JBoss BPMS 6.4 | RHSA-2017:1675 | 2017-07-04 |
| Red Hat JBoss Fuse 6.3 | RHSA-2017:1832 | 2017-08-10 |
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | logback-core | Will not fix |
| Red Hat Satellite 6 | logback-core | Will not fix |
Vulmon