Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.ALA_ALAS-2022-1562.NASL
HistoryJan 20, 2022 - 12:00 a.m.

Amazon Linux AMI : log4j (ALAS-2022-1562)

2022-01-2000:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
87
amazon linux ami
log4j
vulnerability
alas-2022-1562
apache log4j
remote code execution
deserialization
jmsappender
tcp socket server
udp socket server
cve-2017-5645
cve-2019-17571
cve-2021-4104

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

10

Confidence

High

EPSS

0.965

Percentile

99.6%

JSON

The version of log4j installed on the remote host is prior to 1.2.17-16.12. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1562 advisory.

  • In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. (CVE-2017-5645)

  • Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
    (CVE-2019-17571)

  • JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2022-1562.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(156871);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/20");

  script_cve_id("CVE-2017-5645", "CVE-2019-17571", "CVE-2021-4104");
  script_xref(name:"IAVA", value:"2019-A-0128");
  script_xref(name:"IAVA", value:"2020-A-0140");
  script_xref(name:"IAVA", value:"2020-A-0008-S");
  script_xref(name:"IAVA", value:"2020-A-0326");
  script_xref(name:"IAVA", value:"2020-A-0324");
  script_xref(name:"IAVA", value:"2018-A-0229-S");
  script_xref(name:"IAVA", value:"2018-A-0118-S");
  script_xref(name:"IAVA", value:"2019-A-0256-S");
  script_xref(name:"IAVA", value:"2018-A-0336-S");
  script_xref(name:"IAVA", value:"2019-A-0021-S");
  script_xref(name:"IAVA", value:"2019-A-0025-S");
  script_xref(name:"IAVA", value:"2018-A-0117-S");
  script_xref(name:"IAVA", value:"2018-A-0226-S");
  script_xref(name:"IAVA", value:"2018-A-0225-S");
  script_xref(name:"IAVA", value:"2018-A-0335-S");
  script_xref(name:"IAVA", value:"2021-A-0573");
  script_xref(name:"IAVA", value:"0001-A-0650");
  script_xref(name:"IAVA", value:"2018-A-0030-S");
  script_xref(name:"ALAS", value:"2022-1562");

  script_name(english:"Amazon Linux AMI : log4j (ALAS-2022-1562)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux AMI host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of log4j installed on the remote host is prior to 1.2.17-16.12. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS-2022-1562 advisory.

  - In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive
    serialized log events from another application, a specially crafted binary payload can be sent that, when
    deserialized, can execute arbitrary code. (CVE-2017-5645)

  - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data
    which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when
    listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
    (CVE-2019-17571)

  - JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write
    access to the Log4j configuration. The attacker can provide TopicBindingName and
    TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result
    in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2
    when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of
    life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the
    previous versions. (CVE-2021-4104)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2022-1562.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/../../faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2017-5645.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2019-17571.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-4104.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update log4j' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17571");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/01/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/01/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:log4j-javadoc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:log4j-manual");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'log4j-1.2.17-16.12.amzn1', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'log4j-javadoc-1.2.17-16.12.amzn1', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'log4j-manual-1.2.17-16.12.amzn1', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "log4j / log4j-javadoc / log4j-manual");
}

Related

nessus 38
amazon 2
redhatcve 4
redhat 14
veracode 4
githubexploit 8
centos 1
attackerkb 2
ibm 39
openvas 23
ubuntucve 4
cve 3
prion 3
atlassian 3
github 3
debiancve 3
cvelist 3
f5 3
osv 8
mageia 1
nvd 3
cert 1
trellix 2
symantec 3
threatpost 1
checkpoint_advisories 2
debian 3
ubuntu 1
fedora 6
oraclelinux 1
seebug 1
cloudlinux 1
suse 1
myhack58 2
qualysblog 1
thn 1
nessus
nessus
Amazon Linux 2 : log4j (ALAS-2022-1739)
2023-08-23 00:00:00
RHEL 5 / 6 : Red Hat JBoss Enterprise Application Platform 5.2 (RHSA-2017:3399)
2017-12-13 00:00:00
RHEL 5 : log4j (Unpatched Vulnerability)
2024-06-03 00:00:00
amazon
amazon
Medium: log4j
2022-01-18 21:37:00
Important: log4j
2022-01-18 20:15:00
redhatcve
redhatcve
CVE-2017-5645
2019-10-10 10:12:57
CVE-2019-17571
2020-04-05 23:06:12
CVE-2021-44228
2022-05-07 14:19:14
redhat
redhat
(RHSA-2017:3399) Important: Red Hat JBoss Enterprise Application Platform 5.2 security update
2017-12-07 17:04:23
(RHSA-2017:3400) Important: Red Hat JBoss Enterprise Application Platform 5.2 security update
2017-12-07 17:04:46
(RHSA-2017:2423) Important: log4j security update
2017-08-07 07:26:13
veracode
veracode
Remote Code Execution (RCE)
2017-04-18 01:36:45
Deserialisation Of Untrusted Object
2021-12-15 13:38:24
Arbitrary Code Execution
2019-12-23 04:57:47
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Apache Log4J
2019-12-25 16:46:11
Exploit for Deserialization of Untrusted Data in Apache Log4J
2021-12-13 19:14:23
Exploit for Deserialization of Untrusted Data in Apache Log4J
2021-12-13 07:48:49
centos
centos
log4j security update
2017-08-31 18:57:53
attackerkb
attackerkb
CVE-2019-17571
2019-12-20 00:00:00
CVE-2021-44228 (Log4Shell)
2022-02-08 00:00:00
ibm
ibm
Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling Transformation Extender (CVE-2021-44228)
2022-08-25 20:51:42
Security Bulletin: Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix Dynamic Server in Cloud Pak for Data
2022-02-03 18:12:46
Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data (CVE-2021-44228)
2021-12-21 15:35:56
openvas
openvas
Apache Log4j 1.2.x RCE Vulnerability (Linux/Unix, Dec 2021) - Version Check
2021-12-16 00:00:00
Mageia: Security Advisory (MGASA-2023-0141)
2023-04-17 00:00:00
Apache Log4j 1.2.x RCE Vulnerability (Windows, Dec 2021) - Version Check
2021-12-17 00:00:00
ubuntucve
ubuntucve
CVE-2021-44228
2021-12-10 00:00:00
CVE-2021-4104
2021-12-14 00:00:00
CVE-2017-5645
2017-04-17 00:00:00
cve
cve
CVE-2021-4104
2021-12-14 12:15:12
CVE-2019-17571
2019-12-20 17:15:11
CVE-2017-5645
2017-04-17 21:59:00
prion
prion
Deserialization of untrusted data
2021-12-14 12:15:00
Deserialization of untrusted data
2019-12-20 17:15:00
Code injection
2017-04-17 21:59:00
atlassian
atlassian
Update Log4J to 1.2.17-atlassian-15 to fix CVE-2021-4104
2022-03-07 08:14:14
Update Log4J to 1.2.17-atlassian-15 to fix CVE-2021-4104
2022-01-14 13:13:21
Apache Log4j - Arbitrary Code Execution in confserver/confluence (master)
2020-03-02 03:58:39
github
github
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data
2021-12-14 19:49:31
Deserialization of Untrusted Data in Log4j
2020-01-06 18:43:38
Deserialization of Untrusted Data in Log4j
2020-01-06 18:43:49
debiancve
debiancve
CVE-2021-4104
2021-12-14 12:15:12
CVE-2019-17571
2019-12-20 17:15:11
CVE-2017-5645
2017-04-17 21:59:00
cvelist
cvelist
CVE-2021-4104 Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
2021-12-14 00:00:00
CVE-2017-5645
2017-04-17 21:00:00
CVE-2019-17571
2019-12-20 16:01:21
f5
f5
K24554520 : Apache Log4j Remote Code Execution vulnerability CVE-2021-4104
2021-12-15 00:00:00
K61529042 : Log4j vulnerability CVE-2019-17571
2020-04-08 00:00:00
K23173103 : log4j vulnerability CVE-2017-5645
2018-01-31 00:00:00
osv
osv
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data
2021-12-14 19:49:31
apache-log4j1.2 - security update
2020-01-12 00:00:00
CVE-2019-17571
2019-12-20 17:15:11
mageia
mageia
Updated davmail packages fix security vulnerability
2023-04-15 22:03:44
nvd
nvd
CVE-2021-4104
2021-12-14 12:15:12
CVE-2017-5645
2017-04-17 21:59:00
CVE-2019-17571
2019-12-20 17:15:11
cert
cert
Apache Log4j allows insecure JNDI lookups
2021-12-15 00:00:00
trellix
trellix
Log4shell Vulnerability is the Coal in Our Stocking for 2021
2022-01-19 00:00:00
Log4shell Vulnerability is the Coal in Our Stocking for 2021
2022-01-19 00:00:00
symantec
symantec
Symantec Security Advisory for Log4j Vulnerability
2021-12-11 01:06:47
Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability
2017-04-17 00:00:00
Apache Log4j CVE-2019-17571 Deserialization Remote Code Execution Vulnerability
2019-12-18 00:00:00
threatpost
threatpost
Apache’s Fix for Log4Shell Can Lead to DoS Attacks
2021-12-15 14:04:19
checkpoint_advisories
checkpoint_advisories
Apache Log4j Remote Code Execution (CVE-2019-17571)
2020-03-01 00:00:00
Apache Log4j Remote Code Execution (CVE-2017-5645)
2022-01-02 00:00:00
debian
debian
[SECURITY] [DSA 4686-1] apache-log4j1.2 security update
2020-05-15 22:17:02
[SECURITY] [DSA 4686-1] apache-log4j1.2 security update
2020-05-15 22:17:02
[SECURITY] [DLA 2065-1] apache-log4j1.2 security update
2020-01-12 22:27:19
ubuntu
ubuntu
Apache Log4j vulnerability
2020-09-15 00:00:00
fedora
fedora
[SECURITY] Fedora 26 Update: log4j-2.7-4.fc26
2017-05-02 15:59:49
[SECURITY] Fedora 24 Update: log4j-2.5-3.fc24
2017-05-04 18:26:42
[SECURITY] Fedora 24 Update: log4j12-1.2.17-19.fc24
2017-06-12 19:29:11
oraclelinux
oraclelinux
log4j security update
2017-08-09 00:00:00
seebug
seebug
Apache Log4j socket receiver deserialization vulnerability (CVE-2017-5645)
2017-04-18 00:00:00
cloudlinux
cloudlinux
Fixed CVE-2019-17571 in log4j
2022-06-21 20:23:31
suse
suse
Security update for log4j (important)
2020-01-14 00:00:00
myhack58
myhack58
Apache logging component Log4j deserialization vulnerability affects all 2. x version-bug warning-the black bar safety net
2017-04-19 00:00:00
Apache logging component Log4j deserialization vulnerability affects all 2. x version-bug warning-the black bar safety net
2017-04-18 00:00:00
qualysblog
qualysblog
New Options Profiles for Log4Shell Detection
2021-12-20 17:33:11
thn
thn
New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability
2021-12-18 12:18:00

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

10

Confidence

High

EPSS

0.965

Percentile

99.6%

JSON
Related for ALA_ALAS-2022-1562.NASL
nessus38amazon2redhatcve4redhat14veracode4githubexploit8centos1attackerkb2ibm39openvas23ubuntucve4cve3prion3atlassian3github3debiancve3cvelist3f53osv8mageia1nvd3cert1trellix2symantec3threatpost1checkpoint_advisories2debian3ubuntu1fedora6oraclelinux1seebug1cloudlinux1suse1myhack582qualysblog1thn1