CVE-2017-5645

CRITICAL NUCLEI

Apache Log4j < 2.8.2 - Insecure Deserialization

Title source: rule

Description

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Exploits (3)

nomisec WRITEUP 92 stars
by pimps · poc
https://github.com/pimps/CVE-2017-5645
nomisec SCANNER 39 stars
by HynekPetrak · poc
https://github.com/HynekPetrak/log4shell-finder
gitlab STUB
by The-Real-TechLord · poc
https://gitlab.com/The-Real-TechLord/CVE-2017-5645

Nuclei Templates (1)

Apache Log4j Server - Deserialization Command Execution
CRITICALby princechaddha

References (82)

... and 62 more

Scores

CVSS v3 9.8
EPSS 0.9401
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (50)
apache/log4j 2.0 - 2.8.2
Apache Software Foundation/Apache Log4j All versions between 2.0-alpha1 and 2.8.1
netapp/oncommand_api_services
netapp/oncommand_insight
netapp/oncommand_workflow_automation
netapp/service_level_manager
netapp/snapcenter
netapp/storage_automation_store
oracle/api_gateway 11.1.2.4.0
oracle/application_testing_suite 13.3.0.1
... and 40 more
Published Apr 17, 2017
Tracked Since Feb 18, 2026