CVE-2019-17571
published 2019-12-20CVE-2019-17571: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | bookkeeper | < 4.14.3 | 4.14.3 |
| apache | log4j | <= 1.2.17 | — |
| apache_software_foundation | log4j | — | — |
| canonical | ubuntu_linux | — | — |
| debian | apache-log4j1.2 | < apache-log4j1.2 1.2.17-9 (bookworm) | apache-log4j1.2 1.2.17-9 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| netapp | oncommand_system_manager | 3.0 – 3.1.3 | — |
| opensuse | leap | — | — |
| oracle | application_testing_suite | — | — |
| oracle | communications_network_integrity | 7.3.2 – 7.3.6 | — |
| oracle | endeca_information_discovery_studio | — | — |
| oracle | financial_services_lending_and_leasing | — | — |
| oracle | financial_services_lending_and_leasing | 14.1.0 – 14.8.0 | — |
| oracle | mysql_enterprise_monitor | <= 8.0.29 | — |
| oracle | primavera_gateway | 16.2 – 16.2.11 | — |
| oracle | primavera_gateway | 17.12.0 – 17.12.7 | — |
| oracle | rapid_planning | — | — |
| oracle | rapid_planning | — | — |
| oracle | retail_extract_transform_and_load | — | — |
| oracle | retail_service_backbone | — | — |
| oracle | retail_service_backbone | — | — |
| oracle | retail_service_backbone | — | — |
| oracle | weblogic_server | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL