CVE-2017-5645
critical-risk
Published 2017-04-17
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Do I need to act?
!
94.0% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 054635595a6dae38c56a2592d9ecc5987e841afd
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
References (164)
Third Party Advisory
http://www.securityfocus.com/bid/97702
Third Party Advisory
http://www.securitytracker.com/id/1040200
Third Party Advisory
http://www.securitytracker.com/id/1041294
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1417
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1801
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1802
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2423
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2633
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2635
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2636
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2637
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2638
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2808
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2809
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2810
and 144 more references
85
/ 100
critical-risk
Severity
32/34 · Critical
Exploitability
20/34 · Moderate
Exposure
33/34 · Critical