CVE-2017-5929
Deserialization vulnerability in logback-classic (Maven)
What is CVE-2017-5929 About?
This vulnerability is an Insecure Deserialization issue affecting QOS.ch Logback's SocketServer and ServerSocketReceiver components. It allows for arbitrary code execution by deserializing malicious Java objects sent over a socket. Exploitation is achieved by sending crafted serialized objects to the vulnerable components.
Affected Software
- ch.qos.logback:logback-classic
- <1.2.0
- ch.qos.logback:logback-core
- <1.2.0
Technical Details
The vulnerability lies in the RemoteStreamAppenderClient class of logback-classic and the SocketNode classes in logback-classic and logback-access. These components listen on a Java Socket and use an ObjectInputStream to deserialize incoming data without prior validation. An attacker can establish a connection to this socket and send specially crafted, serialized Java objects. When these malicious objects are deserialized by the application, they can trigger unexpected behavior, including the execution of arbitrary code, as the application's deserialization process does not sufficiently constrain the types of objects that can be instantiated.
What is the Impact of CVE-2017-5929?
Successful exploitation may allow attackers to execute arbitrary code, gain control over the affected system, compromise data, and disrupt service availability.
What is the Exploitability of CVE-2017-5929?
Exploitation requires direct network access to the vulnerable SocketServer or ServerSocketReceiver component. The complexity is high, as it requires knowledge of Java deserialization gadgets and the ability to craft malicious serialized objects. No authentication is typically required, as the serialization stream is directly exposed over a network socket. This is a remote exploitation scenario, given open network access to the vulnerable port. The primary risk factor is the exposure of a deserialization endpoint over a network without proper input validation or whitelisting of allowed classes.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-5929?
About the Fix from Resolved Security
This patch introduces a whitelist of classes permitted during deserialization by the logging server, preventing arbitrary object deserialization. This fix mitigates CVE-2017-5929, which allowed remote code execution via unsafe deserialization by restricting incoming data to known-safe classes, thus blocking potential exploitation.
Available Upgrade Options
- ch.qos.logback:logback-core
- <1.2.0 → Upgrade to 1.2.0
- ch.qos.logback:logback-classic
- <1.2.0 → Upgrade to 1.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2018:2927
- https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc%40%3Cdev.mnemonic.apache.org%3E
- https://github.com/qos-ch/logback
- https://access.redhat.com/errata/RHSA-2017:1832
- https://osv.dev/vulnerability/GHSA-vmfg-rjjm-rjrj
- https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc@%3Cdev.mnemonic.apache.org%3E
- https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790%40%3Ccommits.mnemonic.apache.org%3E
What are Similar Vulnerabilities to CVE-2017-5929?
Similar Vulnerabilities: CVE-2017-3241 , CVE-2017-3507 , CVE-2018-12023 , CVE-2019-12384 , CVE-2020-2564
