CVE-2019-17571
ADVISORY - githubSummary
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions 1.2 up to 1.2.17.
Users are advised to migrate to org.apache.logging.log4j:log4j-core.
Common Weakness Enumeration (CWE)
Deserialization of Untrusted Data
Deserialization of Untrusted Data
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Deserialization of Untrusted Data
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
Deserialization of Untrusted Data
NIST
3.9
CVSS SCORE
9.8criticalGitHub
3.9
CVSS SCORE
9.8criticalDebian
-
Ubuntu
3.9
CVSS SCORE
9.8mediumAmazon
-
CVSS SCORE
N/AhighAmazon
-
CVSS SCORE
N/AmediumRed Hat
3.9
CVSS SCORE
9.8highintheWild
-
-