CVE-2019-17571

CRITICAL

Apache Log4j <= 1.2.17 - Deserialization of Untrusted Data via SocketServer

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-17571. PoCs published by shadow-horse, HynekPetrak, Al1ex.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2019-17571, a deserialization vulnerability in Apache Log4j 1.2.X. It includes steps to reproduce the vulnerability, required dependencies, and exploitation methodology using ysoserial and netcat.

Description

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Exploits (3)

nomisec WRITEUP 78 stars
by shadow-horse · poc
https://github.com/shadow-horse/CVE-2019-17571

This repository provides a detailed technical analysis of CVE-2019-17571, a deserialization vulnerability in Apache Log4j 1.2.X. It includes steps to reproduce the vulnerability, required dependencies, and exploitation methodology using ysoserial and netcat.

Classification
Writeup 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Apache Log4j 1.2.4 to 1.2.17
No auth needed
Prerequisites: Java runtime environment · Vulnerable Log4j 1.2.X jar · ysoserial tool · netcat
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 39 stars
by HynekPetrak · poc
https://github.com/HynekPetrak/log4shell-finder

This repository contains a Python-based file system scanner for detecting vulnerable log4j instances, including CVE-2017-5645. It identifies log4j (1.x), reload4j (1.2.18+), and log4j-core (2.x) versions vulnerable to multiple CVEs.

Classification
Scanner 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: log4j (1.x), reload4j (1.2.18+), log4j-core (2.x)
No auth needed
Prerequisites: Access to the file system to scan
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Al1ex · poc
https://github.com/Al1ex/CVE-2019-17571

This repository contains a functional PoC for CVE-2019-17571, a deserialization vulnerability in Apache Log4j 1.x. The exploit leverages the SimpleSocketServer to trigger the vulnerability, demonstrating remote code execution potential.

Classification
Working Poc 80%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Apache Log4j 1.x
No auth needed
Prerequisites: Network access to the target · Log4j 1.x with SocketServer enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (113)

Core 113
Core References
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4686
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200110-0001/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4495-1/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 9.8
EPSS 0.2850
EPSS Percentile 96.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-502
Status published
Products (30)
apache/bookkeeper < 4.14.3
apache/log4j < 1.2.17
Apache Software Foundation/Log4j versions up to 1.2.17
canonical/ubuntu_linux 18.04
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
log4j/log4j 1.2 - 1.2.17Maven
netapp/oncommand_system_manager 3.0 - 3.1.3
netapp/oncommand_workflow_automation
... and 20 more
Published Dec 20, 2019
Tracked Since Feb 18, 2026