CVE-2019-17571

critical-risk

Published 2019-12-20

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Do I need to act?

37.0% chance of exploitation in next 30 days

EPSS score — higher than 63% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 32f9cd7d5ce73cc0f29c7e66ce5adc0e6640d222

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Log4J

Debian Linux

Ubuntu Linux

Leap

Oncommand System Manager

Oncommand Workflow Automation

Application Testing Suite

Communications Network Integrity

Endeca Information Discovery Studio

Financial Services Lending And Leasing

Mysql Enterprise Monitor

Primavera Gateway

Rapid Planning

Retail Extract Transform And Load

Retail Service Backbone

Affected Vendors

Debian Apache Oracle Canonical Netapp Opensuse

References (226)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html

https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e...

https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f1563843...

https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444...

https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718...

https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac157382...

https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb...

https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1...

Mailing List https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16add...

https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546...

https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9e...

https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8a18...

https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8c1c...

https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf...

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab...

https://lists.apache.org/thread.html/r1b7734dfdfd938640f2f5fb6f4231a267145c71ed6...

https://lists.apache.org/thread.html/r26244f9f7d9a8a27a092eb0b2a0ca9395e88fcde8b...

https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdb...

https://lists.apache.org/thread.html/r2756fd570b6709d55a61831ca028405bcb3e312175...

https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04...

and 206 more references

/ 100

critical-risk

Severity 32/34 · Critical

Exploitability 16/34 · Moderate

Exposure 22/34 · High