Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
Configuration 7 (hide)
|
History
07 Nov 2023, 03:06
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2019-12-20 17:15
Updated : 2024-02-28 17:28
NVD link : CVE-2019-17571
Mitre link : CVE-2019-17571
CVE.ORG link : CVE-2019-17571
JSON object : View
Products Affected
oracle
- application_testing_suite
- retail_extract_transform_and_load
- primavera_gateway
- retail_service_backbone
- endeca_information_discovery_studio
- communications_network_integrity
- financial_services_lending_and_leasing
- rapid_planning
- mysql_enterprise_monitor
- weblogic_server
netapp
- oncommand_system_manager
- oncommand_workflow_automation
opensuse
- leap
apache
- bookkeeper
- log4j
canonical
- ubuntu_linux
debian
- debian_linux
CWE
CWE-502
Deserialization of Untrusted Data