Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability

Risk

High

Date Discovered

April 17, 2017

Description

Apache Log4j is prone to remote code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions. Apache Log4j 2.0-alpha1 through 2.8.1 are vulnerable.

Technologies Affected

  • Apache Log4j 2.0 Beta1
  • Apache Log4j 2.0 Beta2
  • Apache Log4j 2.0 Beta4
  • Apache Log4j 2.0 RC1
  • Apache Log4j 2.0 RC2
  • Apache Log4j 2.0 alpha2
  • Apache Log4j 2.0 beta3
  • Apache Log4j 2.0 beta5
  • Apache Log4j 2.0 beta6
  • Apache Log4j 2.0 beta7
  • Apache Log4j 2.0 beta8
  • Apache Log4j 2.0 beta9
  • Apache Log4j 2.0-alpha1
  • Apache Log4j 2.0.1
  • Apache Log4j 2.0.2
  • Apache Log4j 2.1
  • Apache Log4j 2.2
  • Apache Log4j 2.3
  • Apache Log4j 2.4
  • Apache Log4j 2.4.1
  • Apache Log4j 2.5
  • Apache Log4j 2.6
  • Apache Log4j 2.6.1
  • Apache Log4j 2.6.2
  • Apache Log4j 2.7
  • Apache Log4j 2.8
  • Apache Log4j 2.8.1
  • Oracle API Gateway 11.1.2.4.0
  • Oracle Agile Engineering Data Management 6.1.3
  • Oracle Agile Engineering Data Management 6.2.0
  • Oracle Agile Engineering Data Management 6.2.1
  • Oracle Agile Material and Equipment Management for Pharmaceuticals 9.3.3
  • Oracle Agile Material and Equipment Management for Pharmaceuticals 9.3.4
  • Oracle Agile PLM 9.3.3
  • Oracle Agile PLM 9.3.4
  • Oracle Agile PLM 9.3.5
  • Oracle Agile PLM 9.3.6
  • Oracle Agile PLM MCAD Connector 3.3
  • Oracle Agile PLM MCAD Connector 3.4
  • Oracle Agile PLM MCAD Connector 3.5
  • Oracle Agile PLM MCAD Connector 3.6
  • Oracle Application Testing Suite 12.5.0.3
  • Oracle Application Testing Suite 13.1.0.1
  • Oracle Application Testing Suite 13.2.0.1
  • Oracle Autovue for Agile Product Lifecycle Management 21.0.0
  • Oracle Autovue for Agile Product Lifecycle Management 21.0.1
  • Oracle BI Publisher 11.1.1.7.0
  • Oracle BI Publisher 11.1.1.9.0
  • Oracle BI Publisher 12.2.1.3.0
  • Oracle BI Publisher 12.2.1.4.0
  • Oracle Big Data Discovery 1.6.0
  • Oracle Business Intelligence Data Warehouse Administration Console 11.1.1.6.4
  • Oracle Communications BRM - Elastic Charging Engine 7.5
  • Oracle Communications Converged Application Server - Service Controller 6.1
  • Oracle Communications Convergent Charging Controller 6.0
  • Oracle Communications Interactive Session Recorder 6.0
  • Oracle Communications Interactive Session Recorder 6.1
  • Oracle Communications Interactive Session Recorder 6.2
  • Oracle Communications Messaging Server 3.0
  • Oracle Communications Messaging Server 6.3
  • Oracle Communications Messaging Server 7.0
  • Oracle Communications Messaging Server 8.0
  • Oracle Communications Messaging Server 8.0.1.1.0
  • Oracle Communications Network Charging and Control 6.0
  • Oracle Communications Network Intelligence 7.3.0
  • Oracle Communications Online Mediation Controller 6.1
  • Oracle Communications Pricing Design Center 11.1
  • Oracle Communications Pricing Design Center 12.0
  • Oracle Communications Service Broker 6.0
  • Oracle Communications Services Gatekeeper 5.1
  • Oracle Communications Services Gatekeeper 6.0
  • Oracle Communications Unified Inventory Management 7.0
  • Oracle Communications Unified Inventory Management 7.1
  • Oracle Communications Unified Inventory Management 7.3
  • Oracle Communications WebRTC Session Controller 7.0
  • Oracle Communications WebRTC Session Controller 7.1
  • Oracle Configuration Manager 12.1.2.0.2
  • Oracle Configuration Manager 12.1.2.0.5
  • Oracle Endeca Information Discovery Integrator 3.1
  • Oracle Endeca Information Discovery Integrator 3.2
  • Oracle Endeca Server 7.7
  • Oracle Enterprise Linux 7
  • Oracle Enterprise Manager Ops Center 12.2.2
  • Oracle Enterprise Manager Ops Center 12.3.2
  • Oracle Enterprise Repository 11.1.1.7.0
  • Oracle Enterprise Repository 12.1.3.0.0
  • Oracle FLEXCUBE Core Banking 11.5.0
  • Oracle FLEXCUBE Core Banking 11.6.0
  • Oracle FLEXCUBE Core Banking 11.7.0
  • Oracle FLEXCUBE Investor Servicing 12.0.4
  • Oracle FLEXCUBE Investor Servicing 12.1.0
  • Oracle FLEXCUBE Investor Servicing 12.3.0
  • Oracle FLEXCUBE Investor Servicing 12.4.0
  • Oracle FLEXCUBE Investor Servicing 14.0.0
  • Oracle FLEXCUBE Private Banking 12.0.0
  • Oracle FLEXCUBE Private Banking 2.1.0
  • Oracle GoldenGate Application Adapters 12.3.2.1.1
  • Oracle Identity Analytics 11.1.1.5.8
  • Oracle Identity Management Suite 11.1.2.3.0
  • Oracle Identity Management Suite 12.2.1.3.0
  • Oracle Insurance Calculation Engine 10.1.1
  • Oracle Insurance Calculation Engine 10.2.1
  • Oracle Insurance Rules Palette 10.0
  • Oracle Insurance Rules Palette 10.1
  • Oracle Insurance Rules Palette 10.2.0
  • Oracle Insurance Rules Palette 11.0
  • Oracle Insurance Rules Palette 11.1
  • Oracle JD Edwards EnterpriseOne Tools 4.0.1.0
  • Oracle JD Edwards EnterpriseOne Tools 9.2
  • Oracle JD Edwards World Security A9.2
  • Oracle JD Edwards World Security A9.3
  • Oracle JD Edwards World Security A9.4
  • Oracle JDeveloper 11.1.1.9.0
  • Oracle JDeveloper 12.1.3.0.0
  • Oracle JDeveloper 12.2.1.0.0
  • Oracle MICROS Lucas 2.9.5
  • Oracle MICROS Retail XBRi Loss Prevention 10.0.1
  • Oracle MICROS Retail XBRi Loss Prevention 10.5.0
  • Oracle MICROS Retail XBRi Loss Prevention 10.6.0
  • Oracle MICROS Retail XBRi Loss Prevention 10.7.0
  • Oracle MICROS Retail XBRi Loss Prevention 10.8.0
  • Oracle MICROS Retail XBRi Loss Prevention 10.8.1
  • Oracle Managed File Transfer 12.1.3.0.0
  • Oracle Managed File Transfer 12.2.1.2.0
  • Oracle Managed File Transfer 12.2.1.3.0
  • Oracle PeopleSoft Enterprise FIN Supply Chain Portal Pack Argentina 9.1
  • Oracle PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil 9.1
  • Oracle Retail Advanced Inventory Planning 13.2
  • Oracle Retail Advanced Inventory Planning 13.4
  • Oracle Retail Advanced Inventory Planning 14.1
  • Oracle Retail Advanced Inventory Planning 15.0
  • Oracle Retail Assortment Planning 14.1.3
  • Oracle Retail Assortment Planning 15.0.3
  • Oracle Retail Assortment Planning 16.0.1
  • Oracle Retail Back Office 14.0.4
  • Oracle Retail Back Office 14.1.3
  • Oracle Retail Central Office 14.0.4
  • Oracle Retail Central Office 14.1.3
  • Oracle Retail Convenience and Fuel POS 2.1.132
  • Oracle Retail Customer Management and Segmentation Foundation 10.8.0
  • Oracle Retail Customer Management and Segmentation Foundation 11.4.0
  • Oracle Retail Customer Management and Segmentation Foundation 15.0.0
  • Oracle Retail Customer Management and Segmentation Foundation 16.0.0
  • Oracle Retail EFTLink 15.0.2
  • Oracle Retail EFTLink 16.0.3
  • Oracle Retail Extract Transform and Load 13.0
  • Oracle Retail Extract Transform and Load 13.1
  • Oracle Retail Extract Transform and Load 13.2
  • Oracle Retail Fiscal Management 14.1
  • Oracle Retail Insights 14.0
  • Oracle Retail Insights 14.1
  • Oracle Retail Insights 15.0
  • Oracle Retail Insights 16.0
  • Oracle Retail Invoice Matching 10.2
  • Oracle Retail Invoice Matching 11.0
  • Oracle Retail Invoice Matching 12.0
  • Oracle Retail Invoice Matching 13.0
  • Oracle Retail Invoice Matching 13.1
  • Oracle Retail Invoice Matching 13.2
  • Oracle Retail Invoice Matching 14.0
  • Oracle Retail Invoice Matching 14.1
  • Oracle Retail Invoice Matching 15.0
  • Oracle Retail Invoice Matching 16.0
  • Oracle Retail Open Commerce Platform 5.3
  • Oracle Retail Open Commerce Platform 6.0
  • Oracle Retail Open Commerce Platform 6.0.1
  • Oracle Retail Order Broker 15.0
  • Oracle Retail Order Broker 16.0
  • Oracle Retail Order Broker 5.1
  • Oracle Retail Order Broker 5.2
  • Oracle Retail Order Management System 4.0
  • Oracle Retail Order Management System 4.5
  • Oracle Retail Order Management System 4.7
  • Oracle Retail Order Management System 5.0
  • Oracle Retail Point-of-Service 14.0.4
  • Oracle Retail Point-of-Service 14.1.3
  • Oracle Retail Price Management 12.0
  • Oracle Retail Price Management 13.0
  • Oracle Retail Price Management 13.1
  • Oracle Retail Price Management 13.2
  • Oracle Retail Price Management 14.0
  • Oracle Retail Price Management 14.1
  • Oracle Retail Price Management 15.0
  • Oracle Retail Price Management 16.0
  • Oracle Retail Returns Management 14.0.4
  • Oracle Retail Returns Management 14.1.3
  • Oracle Retail Returns Management 2.3.8
  • Oracle Retail Returns Management 2.4.9
  • Oracle Retail Store Inventory Management 12.0.12
  • Oracle Retail Store Inventory Management 13.0.7
  • Oracle Retail Store Inventory Management 13.1.9
  • Oracle Retail Store Inventory Management 13.2.9
  • Oracle Retail Store Inventory Management 14.0.4
  • Oracle Retail Store Inventory Management 14.1.3
  • Oracle Retail Store Inventory Management 15.0.2
  • Oracle Retail Store Inventory Management 16.0.1
  • Oracle Retail Workforce Management 1.60.7
  • Oracle Retail Workforce Management 1.64.0
  • Oracle Retail Xstore Point of Service 15.0.1
  • Oracle Retail Xstore Point of Service 6.0.11
  • Oracle Retail Xstore Point of Service 7.0.6
  • Oracle Retail Xstore Point of Service 7.1.6
  • Oracle SOA Suite 12.1.3.0.0
  • Oracle SOA Suite 12.2.1.3.0
  • Oracle Secure Global Desktop 5.3
  • Oracle Siebel UI Framework 18.7
  • Oracle Siebel UI Framework 18.8
  • Oracle Siebel UI Framework 18.9
  • Oracle Tape Library ACSLS 8.4
  • Oracle Transportation Management 6.2.11
  • Oracle Transportation Management 6.3.1
  • Oracle Transportation Management 6.3.2
  • Oracle Transportation Management 6.3.3
  • Oracle Transportation Management 6.3.4
  • Oracle Transportation Management 6.3.5
  • Oracle Transportation Management 6.3.6
  • Oracle Transportation Management 6.3.7
  • Oracle Transportation Management 6.4.1
  • Oracle Transportation Management 6.4.2
  • Oracle Utilities Advanced Spatial and Operational Analytics 2.7.0.1
  • Oracle Utilities Framework 2.2.0
  • Oracle Utilities Framework 4.2.0
  • Oracle Utilities Framework 4.3.0
  • Oracle WebCenter Portal 12.2.1.2.0
  • Oracle WebCenter Portal 12.2.1.3.0
  • Oracle Weblogic Server 10.3.6.0
  • Oracle Weblogic Server 12.1.3.0
  • Oracle Weblogic Server 12.2.1.2
  • Oracle Weblogic Server 12.2.1.3
  • Redhat Enterprise Linux 7 Client
  • Redhat Enterprise Linux Client Optional 7
  • Redhat Enterprise Linux ComputeNode 7
  • Redhat Enterprise Linux ComputeNode Optional 7
  • Redhat Enterprise Linux Server 6
  • Redhat Enterprise Linux Server 7
  • Redhat Enterprise Linux Server EUS 6.7
  • Redhat Enterprise Linux Server EUS 7.3
  • Redhat Enterprise Linux Server Optional 7
  • Redhat Enterprise Linux Workstation 6
  • Redhat Enterprise Linux Workstation 7
  • Redhat Enterprise Linux Workstation Optional 7
  • Redhat JBoss Web Server 3.1 for RHEL 6
  • Redhat JBoss Web Server 3.1 for RHEL 7

Recommendations

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic

Do not accept or execute files from untrusted or unknown sources.
To reduce the likelihood of successful exploits, do not open files that originate from untrusted sources.

Implement multiple redundant layers of security.
Various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.

Run all software as a nonprivileged user with minimal access rights.
To limit the impact of latent vulnerabilities, configure database servers and other applications to run as a nonadministrative user with minimal access rights.

Updates are available. Please see the references or vendor advisory for more information.

References

Credits

Marcio Almeida de Macedo of Red Team at Telstra.


© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.