CVE-2017-5645

Description

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

References

https://issues.apache.org/jira/browse/LOG4J2-1863

Issue TrackingVendor Advisory

Third Party AdvisoryVDB Entry

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party Advisory

Third Party AdvisoryVDB Entry

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Patch

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Patch

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Patch

https://security.netapp.com/advisory/ntap-20180726-0002/

Third Party Advisory

Third Party AdvisoryVDB Entry

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

PatchThird Party Advisory

https://security.netapp.com/advisory/ntap-20181107-0002/

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

PatchThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

PatchThird Party Advisory

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

PatchThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

PatchThird Party Advisory

[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities

Mailing ListThird Party Advisory

[logging-dev] 20191215 Re: Is there any chance that there will be a security fix for log4j-v1.2.17?

Mailing ListThird Party Advisory

[logging-dev] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer

Mailing ListThird Party Advisory

[announce] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer

Mailing ListThird Party Advisory

[oss-security] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer

Mailing ListThird Party Advisory

[logging-dev] 20191219 Re: [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer

Mailing ListThird Party Advisory

[activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]

Mailing ListThird Party Advisory

[activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]

Mailing ListThird Party Advisory

[tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]

Mailing ListThird Party Advisory

[tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]

Mailing ListThird Party Advisory

[tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]

Mailing ListThird Party Advisory

[tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]

Mailing ListThird Party Advisory

[tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]

Mailing ListThird Party Advisory

[tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]

Mailing ListThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2020.html

Third Party Advisory

[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]

Mailing ListThird Party Advisory

[activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]

Mailing ListThird Party Advisory

[activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]

Mailing ListThird Party Advisory

[activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[activemq-issues] 20200208 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[activemq-issues] 20200228 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[activemq-issues] 20200228 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[activemq-issues] 20200228 [jira] [Resolved] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

Third Party Advisory

[logging-commits] 20200425 svn commit: r1059809 - /websites/production/logging/content/log4j/2.13.2/security.html

Mailing ListThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Third Party Advisory

[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Mailing ListThird Party Advisory

[activemq-issues] 20200730 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571

Mailing ListThird Party Advisory

[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12

Mailing ListThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory

[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5594: [FE][Bug]Update log4j-web to fix a security issue

Mailing ListThird Party Advisory

[beam-issues] 20210528 [jira] [Created] (BEAM-12422) Vendored gRPC 1.36.0 is using a log4j version with security issues

Mailing ListThird Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Third Party Advisory

[beam-github] 20210701 [GitHub] [beam] lukecwik commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645

Mailing ListThird Party Advisory

[beam-github] 20210701 [GitHub] [beam] lukecwik opened a new pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645

Mailing ListThird Party Advisory

[beam-github] 20210701 [GitHub] [beam] codecov[bot] commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645

Mailing ListThird Party Advisory

[beam-github] 20210701 [GitHub] [beam] codecov[bot] edited a comment on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645

Mailing ListThird Party Advisory

[beam-github] 20210701 [GitHub] [beam] suztomo commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645

Mailing ListThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Third Party Advisory

CvssV3 impact

BaseSeverity	CRITICAL
ConfidentialityImpact	HIGH
AttackComplexity	LOW
Scope	UNCHANGED
AttackVector	NETWORK
AvailabilityImpact	HIGH
IntegrityImpact	HIGH
PrivilegesRequired	NONE
BaseScore	9.8
VectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version	3.1
UserInteraction	NONE

CvssV2 impact

Version	2.0
VectorString	AV:N/AC:L/Au:N/C:P/I:P/A:P
AccessVector	NETWORK
AccessComplexity	LOW
Authentication	NONE
ConfidentialityImpact	PARTIAL
IntegrityImpact	PARTIAL
AvailabilityImpact	PARTIAL
BaseScore	7.5

Created by Yello

About Severity.io