Банк данных угроз безопасности информации

Федеральная служба по техническому и экспортному контролю

ФСТЭК России

Государственный научно-исследовательский испытательный институт проблем технической защиты информации

ФАУ «ГНИИИ ПТЗИ ФСТЭК России»

BDU:2020-03624: Уязвимость реализации класса SmtpAppender библиотеки журналирования Java-программ Log4j, позволяющая нарушителю реализовать атаку типа «человек посередине»

Описание уязвимости	Уязвимость реализации класса SmtpAppender библиотеки журналирования Java-программ Log4j связана с неправильным подтверждением подлинности сертификата. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, реализовать атаку типа «человек посередине»
Вендор	Red Hat Inc., Oracle Corp., Apache Software Foundation
Наименование ПО	Red Hat Enterprise Linux, WebLogic Server, Enterprise Repository, Fusion Middleware MapViewer, Primavera Unifier, PeopleSoft Enterprise PeopleTools, Oracle Retail Order Broker, Instantis EnterpriseTrack, Jboss Fuse, Utilities Framework, Application Testing Suite, OpenShift Application Runtimes, Oracle Policy Automation Connector for Siebel, JBoss Data Grid, Red Hat Single Sign-On, Red Hat Process Automation Manager, Oracle Communications Unified Inventory Management, Red Hat Descision Manager, Oracle Retail Assortment Planning, JBoss A-MQ Streaming, Oracle Communications Interactive Session Recorder, Oracle Endeca Information Discovery Studio, Oracle Retail Predictive Application Server, Retail Integration Bus, Primavera Gateway, Oracle Retail Financial Integration, Financial Services Price Creation and Discovery, Oracle Retail Service Backbone, Rapid Planning, Enterprise Manager Ops Center, Communications MetaSolv Solution, Oracle Communications Order and Service Management, Financial Services Analytical Applications Infrastructure, Oracle FLEXCUBE Investor Servicing, Oracle FLEXCUBE Private Banking, Oracle Banking Enterprise Collections, Category Management Planning & Optimization, Oracle Retail Bulk Data Integration, Oracle Retail Data Extractor for Merchandising, Oracle Retail Item Planning, Oracle Retail Macro Space Optimization, Oracle Retail Merchandise Financial Planning, Oracle Retail Regular Price Optimization, Oracle Retail Replenishment Optimization, Oracle Retail Size Profile Optimization, Retail Store Inventory Management, Communications Instant Messaging Server, Communications Network Charging and Control, Communications Billing and Revenue Management, Siebel Engineering - Installer & Deployment, Log4j, A-MQ Clients, JD Edwards EnterpriseOne Tools, Oracle Communications Network Integrity, Oracle Financial Services Lending and Leasing, Banking Platform, Oracle Insurance Data Gateway, Oracle Retail Extract Transform and Load, Data Grid, Oracle Communications Services Gatekeeper, Financial Services Retail Customer Analytics, Insurance Policy Administration J2EE, Insurance Insbridge Rating and Underwriting, FLEXCUBE Core Banking, Communications Application Session Controller, Oracle Policy Automation, Oracle Policy Automation for Mobile Devices, Oracle Insurance Rules Palette, Retail Advanced Inventory Planning
Версия ПО	7 (Red Hat Enterprise Linux) 10.3.6.0.0 (WebLogic Server) 12.1.3.0.0 (WebLogic Server) 11.1.1.7.0 (Enterprise Repository) 12.2.1.3.0 (Fusion Middleware MapViewer) 16.2 (Primavera Unifier) 16.1 (Primavera Unifier) 8.56 (PeopleSoft Enterprise PeopleTools) 8.57 (PeopleSoft Enterprise PeopleTools) 12.2.1.3.0 (WebLogic Server) 16.0 (Oracle Retail Order Broker) 17.1 (Instantis EnterpriseTrack) 17.2 (Instantis EnterpriseTrack) 17.3 (Instantis EnterpriseTrack) 8 (Red Hat Enterprise Linux) 7 (Jboss Fuse) 4.4.0.0.0 (Utilities Framework) 4.2.0.3.0 (Utilities Framework) 4.2.0.2.0 (Utilities Framework) 13.3.0.1 (Application Testing Suite) 18.8 (Primavera Unifier) 1.0 (OpenShift Application Runtimes) 10.4.6 (Oracle Policy Automation Connector for Siebel) 7 (JBoss Data Grid) 7 (Red Hat Single Sign-On) 7 (Red Hat Process Automation Manager) 12.2.1.4.0 (WebLogic Server) 7.3 (Oracle Communications Unified Inventory Management) 7.4 (Oracle Communications Unified Inventory Management) 7 (Red Hat Descision Manager) 16.0.3 (Oracle Retail Assortment Planning) - (JBoss A-MQ Streaming) 19.12 (Primavera Unifier) от 17.7 до 17.12 включительно (Primavera Unifier) 6.1 (Oracle Communications Interactive Session Recorder) 6.2 (Oracle Communications Interactive Session Recorder) 6.3 (Oracle Communications Interactive Session Recorder) 3.2.0 (Oracle Endeca Information Discovery Studio) 15.0.3 (Oracle Retail Predictive Application Server) 16.0.3 (Oracle Retail Predictive Application Server) 18.0 (Oracle Retail Order Broker) 15.0 (Retail Integration Bus) 16.0 (Retail Integration Bus) 8.58 (PeopleSoft Enterprise PeopleTools) 15.0.3 (Oracle Retail Assortment Planning) от 16.2.0 до 16.2.11 включительно (Primavera Gateway) 15.0 (Oracle Retail Financial Integration) 16.0 (Oracle Retail Financial Integration) 8.0.7 (Financial Services Price Creation and Discovery) 14.1.0 (Retail Integration Bus) 14.0.3 (Oracle Retail Predictive Application Server) 14.1.3 (Oracle Retail Predictive Application Server) 15.0 (Oracle Retail Service Backbone) 16.0 (Oracle Retail Service Backbone) 12.1 (Rapid Planning) 12.2 (Rapid Planning) 14.1.1.0.0 (WebLogic Server) 12.4.0.0 (Enterprise Manager Ops Center) 6.3.0 (Communications MetaSolv Solution) 7.3 (Oracle Communications Order and Service Management) 7.4 (Oracle Communications Order and Service Management) от 8.0.6 до 8.1.0 включительно (Financial Services Analytical Applications Infrastructure) 12.1.0 (Oracle FLEXCUBE Investor Servicing) 12.3.0 (Oracle FLEXCUBE Investor Servicing) 12.4.0 (Oracle FLEXCUBE Investor Servicing) 14.0.0 (Oracle FLEXCUBE Investor Servicing) 14.1.0 (Oracle FLEXCUBE Investor Servicing) 12.0.0 (Oracle FLEXCUBE Private Banking) 12.1.0 (Oracle FLEXCUBE Private Banking) от 2.7.0 до 2.9.0 включительно (Oracle Banking Enterprise Collections) 15.0.3 (Category Management Planning & Optimization) 15.0 (Oracle Retail Bulk Data Integration) 16.0 (Oracle Retail Bulk Data Integration) 1.9 (Oracle Retail Data Extractor for Merchandising) 1.10 (Oracle Retail Data Extractor for Merchandising) 15.0.3 (Oracle Retail Item Planning) 15.0.3 (Oracle Retail Macro Space Optimization) 15.0.3 (Oracle Retail Merchandise Financial Planning) 15.0.3 (Oracle Retail Regular Price Optimization) 16.0.3 (Oracle Retail Regular Price Optimization) 15.0.3 (Oracle Retail Replenishment Optimization) 15.0.3 (Oracle Retail Size Profile Optimization) 14.0.4 (Retail Store Inventory Management) 14.1.3 (Retail Store Inventory Management) 15.0.3 (Retail Store Inventory Management) 16.0.3 (Retail Store Inventory Management) 10.0.1.4.0 (Communications Instant Messaging Server) от 17.12.0 до 17.12.7 включительно (Primavera Gateway) от 18.8.0 до 18.8.9 включительно (Primavera Gateway) от 19.12.0 до 19.12.4 включительно (Primavera Gateway) 6.0.1 (Communications Network Charging and Control) от 12.0.0 до 12.0.3 включительно (Communications Network Charging and Control) 7.5.0.23.0 (Communications Billing and Revenue Management) 12.0.0.3.0 (Communications Billing and Revenue Management) до 2.20.5 включительно (Siebel Engineering - Installer & Deployment) до 2.13.2 (Log4j) 6.4 (Oracle Communications Interactive Session Recorder) 2 (A-MQ Clients) до 9.2.3.3 (JD Edwards EnterpriseOne Tools) от 7.3.2 до 7.3.6включительно (Oracle Communications Network Integrity) 12.5.0 (Oracle Financial Services Lending and Leasing) от 14.1.0 до 14.8.0 включительно (Oracle Financial Services Lending and Leasing) 12.2.1.4.0 (Fusion Middleware MapViewer) 2.4.0-2.10.0 (Banking Platform) 1.0 (Oracle Insurance Data Gateway) 18.0 (Oracle Retail Data Extractor for Merchandising) 19.0 (Oracle Retail Extract Transform and Load) 14.1 (Oracle Retail Service Backbone) 8 (Data Grid) 7.0 (Oracle Communications Services Gatekeeper) 2.2.0.0.0 (Utilities Framework) от 4.3.0.1.0 до 4.3.0.6.0 включительно (Utilities Framework) 8.0.6 (Financial Services Price Creation and Discovery) 8.0.6 (Financial Services Retail Customer Analytics) 11.0.2.25 (Insurance Policy Administration J2EE) 11.1.0.15 (Insurance Policy Administration J2EE) от 5.0.0.0 до 5.6.0.0 включительно (Insurance Insbridge Rating and Underwriting) 5.6.1.0 (Insurance Insbridge Rating and Underwriting) 5.2.0 (FLEXCUBE Core Banking) от 11.5.0 до 11.7.0 включительно (FLEXCUBE Core Banking) 3.9m0p1 (Communications Application Session Controller) 4.4.0.2.0 (Utilities Framework) от 12.2.0 до 12.2.20 включительно (Oracle Policy Automation) от 12.2.0 до 12.2.20 включительно (Oracle Policy Automation for Mobile Devices) 10.2.0.37 (Insurance Policy Administration J2EE) 10.2.4.12 (Insurance Policy Administration J2EE) 11.2.0.26 (Insurance Policy Administration J2EE) 10.2.0.37 (Oracle Insurance Rules Palette) 10.2.4.12 (Oracle Insurance Rules Palette) 11.0.2.25 (Oracle Insurance Rules Palette) 11.1.0.15 (Oracle Insurance Rules Palette) 11.2.0.26 (Oracle Insurance Rules Palette) 14.1 (Retail Advanced Inventory Planning) 15.0.3.0 (Oracle Retail Bulk Data Integration) 16.0.3.0 (Oracle Retail Bulk Data Integration) от 19.0 до 19.3 включительно (Oracle Retail Order Broker)
Тип ПО	Операционная система, Сетевое программное средство, Прикладное ПО информационных систем, ПО программно-аппаратного средства
Операционные системы и аппаратные платформы	Red Hat Inc. Red Hat Enterprise Linux 7 Red Hat Inc. Red Hat Enterprise Linux 8
Тип ошибки	Неправильное подтверждение подлинности сертификата, Отсутствие проверки хостовых данных сертификата
Идентификатор типа ошибки	CWE-295 CWE-297
Класс уязвимости	Уязвимость архитектуры
Дата выявления	13.04.2020
Базовый вектор уязвимости	AV:N/AC:M/Au:N/C:P/I:N/A:N
Уровень опасности уязвимости	Средний уровень опасности (базовая оценка CVSS 2.0 составляет 4,3) Низкий уровень опасности (базовая оценка CVSS 3.0 составляет 3,7)
Возможные меры по устранению уязвимости	Использование рекомендаций: Для Log4j: https://issues.apache.org/jira/browse/LOG4J2-2819 Для программных продуктов Oracle Corp.: https://www.oracle.com/security-alerts/cpujul2020.html Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/cve-2020-9488
Статус уязвимости	Подтверждена производителем
Наличие эксплойта	Данные уточняются
Способ эксплуатации	Нарушение авторизации
Способ устранения	Обновление программного обеспечения
Информация об устранении	Уязвимость устранена
Ссылки на источники	https://issues.apache.org/jira/browse/LOG4J2-2819 https://lists.apache.org/thread.html/r0a2699f724156a558afd1abb6c044fb9132caa66dce861b82699722a@%3Cjira.kafka.apache.org%3E https://lists.apache.org/thread.html/r0df3d7a5acb98c57e64ab9266aa21eeee1d9b399addb96f9cf1cbe05@%3Cdev.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r2f209d271349bafd91537a558a279c08ebcff8fa3e547357d58833e6@%3Cdev.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r393943de452406f0f6f4b3def9f8d3c071f96323c1f6ed1a098f7fe4@%3Ctorque-dev.db.apache.org%3E https://lists.apache.org/thread.html/r4285398e5585a0456d3d9db021a4fce6e6fcf3ec027dfa13a450ec98@%3Cissues.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r48bcd06049c1779ef709564544c3d8a32ae6ee5c3b7281a606ac4463@%3Cjira.kafka.apache.org%3E https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r7e739f2961753af95e2a3a637828fb88bfca68e5d6b0221d483a9ee5@%3Cnotifications.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r8c001b9a95c0bbec06f4457721edd94935a55932e64b82cc5582b846@%3Cissues.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E https://lists.apache.org/thread.html/r9a79175c393d14d760a0ae3731b4a873230a16ef321aa9ca48a810cd@%3Cissues.zookeeper.apache.org%3E https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E https://lists.apache.org/thread.html/rc6b81c013618d1de1b5d6b8c1088aaf87b4bacc10c2371f15a566701@%3Cnotifications.zookeeper.apache.org%3E https://lists.apache.org/thread.html/rd55f65c6822ff235eda435d31488cfbb9aa7055cdf47481ebee777cc@%3Cissues.zookeeper.apache.org%3E https://lists.apache.org/thread.html/rd8e87c4d69df335d0ba7d815b63be8bd8a6352f429765c52eb07ddac@%3Cissues.zookeeper.apache.org%3E https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E https://lists.apache.org/thread.html/rf1c2a81a08034c688b8f15cf58a4cfab322d00002ca46d20133bee20@%3Cdev.kafka.apache.org%3E https://security.netapp.com/advisory/ntap-20200504-0003/ https://www.oracle.com/security-alerts/cpujul2020.html
Идентификаторы других систем описаний уязвимостей	CVE: CVE-2020-9488
Прочая информация	Данные уточняются

Последние изменения