OSVDB ID: 23905

Title: Apache Log4net LocalSyslogAppender Format String Memory Corruption DoS

Info

Disclosure

Mar 07, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Apache Log4net contains a flaw that may allow a remote denial of service. The issue is triggered due to an unspecified format string error in LocalSyslogAppender which may corrupt system memory resulting in loss of availability for the service.

Classification

Location: Remote / Network Access, Local / Remote, Context Dependent
Attack Type: Denial of Service, Input Manipulation
Impact: Loss of Integrity, Loss of Availability
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 1.2.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Apache Software Foundation	log4net	1.2.9
		1.2.10

References

Bugtraq ID: 17095
Secunia Advisory ID: 19241 22932
CVE ID: 2006-0743 (see also: NVD)
ISS X-Force ID: 25196
VUPEN Advisory: ADV-2006-0955
Mail List Post: http://attrition.org/pipermail/vim/2006-March/000614.html
Vendor Specific News/Changelog Entry: http://issues.apache.org/jira/browse/LOG4NET-67
Vendor Specific Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Nov/0008.html

Credit

Sebastian Krahmer - krahmersuse.de - SuSE

Direct URL: http://osvdb.org/23905

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Apache Software Foundation

log4net

References

Credit