Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-5645

CWE-502 — Deserialization of Untrusted Data19 documents12 sources

Severity

9.8CRITICAL

EPSS

94.0%

top 0.10%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Log4j Oracle Communications Messaging Server Oracle Communications Webrtc Session Controller +71 more

Timeline

PublishedApr 17

Latest updateDec 10

Description

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages69 packages

▶NVDoracle/retail_predictive_application_server15.0.3

▶NVDapache/log4j2.0 — 2.8.2

▶Mavenorg.apache.logging.log4j:log4j2.0 — 2.8.2

▶Mavenorg.apache.logging.log4j:log4j-core2.0 — 2.8.2

▶NVDoracle/communications_messaging_server< 8.0.2

Also affects: Enterprise Linux 6.0, 6.7, 7.0, 7.3, 7.4, 7.5, 7.6

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Deserialization of Untrusted Data in Log4j↗2020-01-06

▶

OSV

Deserialization of Untrusted Data in Log4j↗2020-01-06

▶

CVEList

CVE-2017-5645: In Apache Log4j 2↗2017-04-17

▶

OSV

CVE-2017-5645: In Apache Log4j 2↗2017-04-17

▶

💥Exploits & PoCs

Nuclei

Apache Log4j Server - Deserialization Command Execution

▶

📋Vendor Advisories

Oracle

Oracle Oracle TimesTen In-Memory Database Risk Matrix: Install (Apache Log4j) — CVE-2017-5645↗2020-10-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Cartridge Management (Log4j) — CVE-2017-5645↗2020-07-15

▶

Oracle

Oracle Oracle Construction and Engineering Risk Matrix: Logging (Log4j) — CVE-2017-5645↗2020-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Log4j) — CVE-2017-5645↗2020-01-15

▶

Red Hat

log4j: deserialization of untrusted data in SocketServer↗2019-12-20

▶

🕵️Threat Intelligence

Unit42

Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) (Updated)↗2021-12-10

▶

💬Community

Bugzilla

CVE-2017-5645 log4j12: log4j: Socket receiver deserialization vulnerability [fedora-all]↗2017-06-01

▶

Bugzilla

CVE-2017-5645 log4j: Socket receiver deserialization vulnerability [fedora-all]↗2017-04-19

▶

Bugzilla

CVE-2017-5645 log4j: Socket receiver deserialization vulnerability↗2017-04-19

▶