Lucene search

K
atlassianAkhudavetsCONFSERVER-59549
HistoryMar 02, 2020 - 3:58 a.m.

Apache Log4j - Arbitrary Code Execution in confserver/confluence (master)

2020-03-0203:58:39
akhudavets
jira.atlassian.com
41

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.794 High

EPSS

Percentile

98.2%

h3. Issue Summary
Arbitrary Code Execution in confserver/confluence (master)

h3. Steps to Reproduce

  • Vulnerability: Arbitrary Code Execution
  • Severity: {color:#f9423a}High{color}
  • Project: confserver/confluence
  • Branch: master
  • Scan Date: Unknown
    Vulnerability ID: CVE-2019-17571

log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in TcpSocketServer and UdpSocketServer when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget.

[View more details|https://atlassian.sourceclear.io/teams/6YYCddV/issues/vulnerabilities/28954266]

h3. Expected Results
N/A
h3. Actual Results
N/A
h3. Workaround
N/A

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.794 High

EPSS

Percentile

98.2%