Skip to main content

CVE-2019-17571

Severity

9.8

Description

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Mitigation

Starting with version(s) 2.x, `log4j:log4j` was relocated to `org.apache.logging.log4j:log4j-core`. A variation of this vulnerability exists in `org.apache.logging.log4j:log4j-core` as CVE-2017-5645, in versions up to but excluding 2.8.2. Therefore, it is recommended to upgrade to `org.apache.logging.log4j:log4j-core` version(s) 2.8.2 and above. For `log4j:log4j` 1.x versions however, a fix does not exist.

*NOTE:*
> Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2.x which both addresses that vulnerability as well as numerous other issues in the previous versions.

Reference: [https://logging.apache.org/log4j/1.2/](https://logging.apache.org/log4j/1.2/)

Project

Category
CWE-502: Deserialization of Untrusted Data
Tags
data
functional
Date Disclosed

2019-12-20

Date Discovered

2019-10-14

Apache ActiveMQ 5.16.x

First release:
2020-06-25
0
Support Lifecycle:
Namespace:
javax

Apache ActiveMQ 5.14.x

First release:
2016-08-02
0
Support Lifecycle:
Namespace:
javax

Apache ActiveMQ 5.13.x

First release:
2015-11-30
0
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.