CVE-2019-17571
CRITICAL WAF: Medium
CVSS 9.8
Published: 2019-12-20
CWE-502 CWE-502
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
WAF Coverage Analysis
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| apache | log4j | up to 1.2.17 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 10.0 |
| canonical | ubuntu_linux | 18.04 |
| opensuse | leap | 15.1 |
| netapp | oncommand_system_manager | 3.0 - 3.1.3 |
| netapp | oncommand_workflow_automation | - |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | communications_network_integrity | 7.3.2 - 7.3.6 |
References
- lists.opensuse.org (Mailing List, Third Party Advisory)
- lists.apache.org
- lists.apache.org
- lists.apache.org
- lists.apache.org
- lists.apache.org
- lists.apache.org
- lists.apache.org
- lists.apache.org (Mailing List, Vendor Advisory)
- lists.apache.org