CVE-2019-17571

CRITICAL

Apache Log4j < 1.2.17 - Insecure Deserialization

Title source: rule

Description

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Exploits (3)

nomisec WRITEUP 78 stars

by shadow-horse · poc

https://github.com/shadow-horse/CVE-2019-17571

View Code ZIP pw:eip

nomisec SCANNER 39 stars

by HynekPetrak · poc

https://github.com/HynekPetrak/log4shell-finder

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by Al1ex · poc

https://github.com/Al1ex/CVE-2019-17571

View Code ZIP pw:eip

References (113)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20200110-0001/

[Third Party Advisory] https://usn.ubuntu.com/4495-1/

[Third Party Advisory] https://www.debian.org/security/2020/dsa-4686

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2020.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Mailing List] https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3Cdev.tika.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3Cdev.tika.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3Cdev.tika.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4%40%3Cjira.kafka.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3Cissues.activemq.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d%40%3Cdev.kafka.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3Cissues.activemq.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546a8f13ebd3aa05f%40%3Cissues.zookeeper.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d%40%3Cdev.zookeeper.apache.org%3E

... and 93 more

Scores

CVSS v3 9.8

EPSS 0.3696

EPSS Percentile 97.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (29)

apache/bookkeeper < 4.14.3

apache/log4j < 1.2.17

canonical/ubuntu_linux 18.04

debian/debian_linux 8.0

debian/debian_linux 9.0

debian/debian_linux 10.0

log4j/log4j 1.2Maven

netapp/oncommand_system_manager 3.0 - 3.1.3

netapp/oncommand_workflow_automation

opensuse/leap 15.1

... and 19 more

Published Dec 20, 2019

Tracked Since Feb 18, 2026