Garrett Tucker

**Name of the Vulnerable Software and Affected Versions** Apache Log4j versions prior to 2 **Description** The issue is related to the Chainsaw and SocketAppender components in Log4j 1.x when used with JRE less than 1.7. An attacker can cause a logging entry involving a specially-crafted hashmap or hashtable to be processed, potentially exhausting the available memory in the virtual machine and achieving Denial of Service when the object is deserialized. **Recommendations** Update to Log4j 2.x to resolve the issue. As a temporary workaround, consider restricting the use of the Chainsaw and SocketAppender components until a patch is available. Avoid using deeply nested hashmaps or hashtables in logging entries to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: SELinux version 3.2 Description: The issue is related to a heap-based buffer over-read in the `ebitmap match any` function, which is called indirectly from `cil check neverallow`. This occurs due to a lack of checks for invalid statements in an optional block. Recommendations: For SELinux version 3.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.