First published: Wed Apr 05 2023(Updated: )
It was discovered that the SocketServer component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. (CVE-2019-17571) It was discovered that the JMSSink component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code. (CVE-2022-23302) It was discovered that Apache Log4j 1.2 incorrectly handled certain SQL statements. A remote attacker could possibly use this issue to perform an SQL injection attack and alter the database. This issue was only fixed in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2022-23305) It was discovered that the Chainsaw component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code. This issue was only fixed in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2022-23307)
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
ubuntu/liblog4j1.2-java | <1.2.17-9ubuntu0.2 | 1.2.17-9ubuntu0.2 |
=20.04 | ||
All of | ||
ubuntu/liblog4j1.2-java | <1.2.17-8+deb10u1ubuntu0.2 | 1.2.17-8+deb10u1ubuntu0.2 |
=18.04 | ||
All of | ||
ubuntu/liblog4j1.2-java | <1.2.17-7ubuntu1+esm1 | 1.2.17-7ubuntu1+esm1 |
=16.04 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Contains the following vulnerabilities)
The severity of USN-5998-1 is critical.
The SocketServer component of Apache Log4j 1.2 mishandles deserialization, which could allow an attacker to execute arbitrary code.
The liblog4j1.2-java package version 1.2.17-9ubuntu0.2 is affected by USN-5998-1.
The recommended remedy for the liblog4j1.2-java package in Ubuntu 16.04 ESM is to update to version 1.2.17-7ubuntu1+esm1.
You can find more information about USN-5998-1 on the Ubuntu Security Notices website.