[
https://issues.apache.org/jira/browse/CASSANDRA-15421?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benjamin Lerer updated CASSANDRA-15421:
---------------------------------------
Resolution: Duplicate
Status: Resolved (was: Triage Needed)
> CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization
> vulnerability affecting the SocketServer and ServerSocketReceiver components.)
> -------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-15421
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15421
> Project: Cassandra
> Issue Type: Bug
> Reporter: Abhishek Singh
> Priority: Urgent
> Fix For: 2.2.x, 3.0.x, 3.11.x
>
>
> *Description :**Description :* *Severity :* CVE CVSS 2.0: 7.5Sonatype CVSS 3:
> 9.8
>
> *Weakness :* CVE CWE: 502
>
> *Source :* National Vulnerability Database
>
> *Categories :* Data
> *Description from CVE :* QOS.ch Logback before 1.2.0 has a serialization
> vulnerability affecting the SocketServer and ServerSocketReceiver components.
>
> *Explanation :* The RemoteStreamAppenderClient class in logback-classic and
> the SocketNode classes in logback-classic and logback-access allow data to be
> deserialized over a Java Socket, via an ObjectInputStream, without validating
> the data beforehand.When data is received from the Socket, to be logged, it
> is deserialized into Java objects.An attacker can exploit this vulnerability
> by sending malicious, serialized Java objects over the connection to the
> Socket, which may result in execution of arbitrary code when those objects
> are deserialized.Note that although logback-core is implicated by the Logback
> project here, the Sonatype Security Research team discovered that the
> vulnerability is actually present in the logback-classic and logback-access
> components. versions prior to 1.2.0, as stated in the advisory.
> *Detection :* The application is vulnerable by using this component.
> *Recommendation :* We recommend upgrading to a version of this component
> that is not vulnerable to this specific issue.
> *Root Cause :*
> apache-cassandra-3.11.4-bin.tar.gzch/qos/logback/classic/net/SocketNode.class
> : [1.0.12,1.2.0]
>
> *Advisories :* Project: https://logback.qos.ch/news.html
>
> *CVSS Details :* CVE CVSS 2.0: 7.5CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
> *Occurences (Paths) :* ["apache-cassandra.zip" ; "apache-cassandra.zip"]
> *CVE :* CVE-2017-5929
> *URL :* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
> *Remediation :* This component does not have any non-vulnerable Version.
> Please contact the vendor to get this vulnerability fixed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
