CVE-2017-5645
published 2017-04-17CVE-2017-5645: In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Affected
171 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | log4j | >= 2.0 < 2.8.2 | 2.8.2 |
| apache | logging | — | — |
| apache_software_foundation | apache_log4j | — | — |
| debian | apache-log4j2 | < apache-log4j2 2.7-2 (bookworm) | apache-log4j2 2.7-2 (bookworm) |
| oracle | api_gateway | — | — |
| oracle | application_testing_suite | — | — |
| oracle | autovue_vuelink_integration | — | — |
| oracle | autovue_vuelink_integration | — | — |
| oracle | banking_platform | — | — |
| oracle | banking_platform | — | — |
| oracle | banking_platform | — | — |
| oracle | bi_publisher | — | — |
| oracle | bi_publisher | — | — |
| oracle | bi_publisher | — | — |
| oracle | bi_publisher | — | — |
| oracle | communications_converged_application_server_service_controller | — | — |
| oracle | communications_instant_messaging_server | — | — |
| oracle | communications_interactive_session_recorder | 6.0 – 6.2 | — |
| oracle | communications_messaging_server | < 8.0.2 | 8.0.2 |
| oracle | communications_network_integrity | 7.3.2 – 7.3.6 | — |
| oracle | communications_online_mediation_controller | — | — |
| oracle | communications_pricing_design_center | — | — |
| oracle | communications_pricing_design_center | — | — |
| oracle | communications_service_broker | — | — |
| oracle | communications_webrtc_session_controller | < 7.2 | 7.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL