- Vulnerability/
- USN-5998-1
USN-5998-1: Apache Log4j vulnerabilities
First published: Wed Apr 05 2023(Updated: )
It was discovered that the SocketServer component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. (CVE-2019-17571) It was discovered that the JMSSink component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code. (CVE-2022-23302) It was discovered that Apache Log4j 1.2 incorrectly handled certain SQL statements. A remote attacker could possibly use this issue to perform an SQL injection attack and alter the database. This issue was only fixed in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2022-23305) It was discovered that the Chainsaw component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code. This issue was only fixed in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2022-23307)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/liblog4j1.2-java | <1.2.17-9ubuntu0.2 | 1.2.17-9ubuntu0.2 |
| =20.04 | ||
| All of | ||
| ubuntu/liblog4j1.2-java | <1.2.17-8+deb10u1ubuntu0.2 | 1.2.17-8+deb10u1ubuntu0.2 |
| =18.04 | ||
| All of | ||
| ubuntu/liblog4j1.2-java | <1.2.17-7ubuntu1+esm1 | 1.2.17-7ubuntu1+esm1 |
| =16.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2019-17571
- https://ubuntu.com/security/CVE-2022-23302
- https://ubuntu.com/security/CVE-2022-23307
- https://ubuntu.com/security/CVE-2022-23305
- https://ubuntu.com/security/notices/USN-4495-1
- https://launchpad.net/ubuntu/+source/apache-log4j1.2/1.2.17-9ubuntu0.2
- https://launchpad.net/ubuntu/+source/apache-log4j1.2/1.2.17-8+deb10u1ubuntu0.2
- https://ubuntu.com/security/notices/USN-5998-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the severity of USN-5998-1?
The severity of USN-5998-1 is critical.
How does the SocketServer component of Apache Log4j 1.2 handle deserialization incorrectly?
The SocketServer component of Apache Log4j 1.2 mishandles deserialization, which could allow an attacker to execute arbitrary code.
Which version of liblog4j1.2-java is affected by USN-5998-1?
The liblog4j1.2-java package version 1.2.17-9ubuntu0.2 is affected by USN-5998-1.
What is the recommended remedy for liblog4j1.2-java package in Ubuntu 16.04 ESM?
The recommended remedy for the liblog4j1.2-java package in Ubuntu 16.04 ESM is to update to version 1.2.17-7ubuntu1+esm1.
Where can I find more information about USN-5998-1?
You can find more information about USN-5998-1 on the Ubuntu Security Notices website.
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/usn
- source/Ubuntu
- anchor-related/USN-4495-1
- agent/software-canonical-lookup
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/20.04
- version/ubuntu ubuntu/18.04
- version/ubuntu ubuntu/16.04