Vulnerability Description
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Log4J | <= 1.2.17 |
| Debian | Debian Linux | 8.0 |
| Canonical | Ubuntu Linux | 18.04 |
| Opensuse | Leap | 15.1 |
| Netapp | Oncommand System Manager | >= 3.0, <= 3.1.3 |
| Netapp | Oncommand Workflow Automation | - |
| Oracle | Application Testing Suite | 13.3.0.1 |
| Oracle | Communications Network Integrity | >= 7.3.2, <= 7.3.6 |
| Oracle | Endeca Information Discovery Studio | 3.2.0 |
| Oracle | Financial Services Lending And Leasing | >= 14.1.0, <= 14.8.0 |
| Oracle | Mysql Enterprise Monitor | <= 8.0.29 |
| Oracle | Primavera Gateway | >= 16.2, <= 16.2.11 |
| Oracle | Rapid Planning | 12.1 |
| Oracle | Retail Extract Transform And Load | 19.0 |
| Oracle | Retail Service Backbone | 14.1 |
| Oracle | Weblogic Server | 10.3.6.0.0 |
| Apache | Bookkeeper | < 4.14.3 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.htmlMailing ListThird Party Advisory
- https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e
- https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f1563843
- https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444
- https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718
- https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac157382
- https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb
- https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1
- https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16addMailing ListVendor Advisory
- https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546
- https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9e
- https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8a18
- https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8c1c
- https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab
FAQ
What is CVE-2019-17571?
CVE-2019-17571 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gad...
How severe is CVE-2019-17571?
CVE-2019-17571 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-17571?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Log4J, Debian Debian Linux, Canonical Ubuntu Linux, Opensuse Leap, Netapp Oncommand System Manager.