Lucene search

K
cveApacheCVE-2019-17571
HistoryDec 20, 2019 - 5:15 p.m.

CVE-2019-17571

2019-12-2017:15:11
CWE-502
apache
web.nvd.nist.gov
860
18
log4j
cve-2019-17571
socketserver class
deserialization
remote code execution

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.806

Percentile

98.4%

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Affected configurations

Nvd
Vulners
Node
apachelog4jRange1.2.17
Node
debiandebian_linuxMatch8.0
OR
debiandebian_linuxMatch9.0
OR
debiandebian_linuxMatch10.0
Node
canonicalubuntu_linuxMatch18.04lts
Node
opensuseleapMatch15.1
Node
netapponcommand_system_managerRange3.03.1.3
OR
netapponcommand_workflow_automationMatch-
Node
oracleapplication_testing_suiteMatch13.3.0.1
OR
oraclecommunications_network_integrityRange7.3.27.3.6
OR
oracleendeca_information_discovery_studioMatch3.2.0
OR
oraclefinancial_services_lending_and_leasingRange14.1.014.8.0
OR
oraclefinancial_services_lending_and_leasingMatch12.5.0
OR
oraclemysql_enterprise_monitorRange8.0.29
OR
oracleprimavera_gatewayRange16.216.2.11
OR
oracleprimavera_gatewayRange17.12.017.12.7
OR
oraclerapid_planningMatch12.1
OR
oraclerapid_planningMatch12.2
OR
oracleretail_extract_transform_and_loadMatch19.0
OR
oracleretail_service_backboneMatch14.1
OR
oracleretail_service_backboneMatch15.0
OR
oracleretail_service_backboneMatch16.0
OR
oracleweblogic_serverMatch10.3.6.0.0
OR
oracleweblogic_serverMatch12.1.3.0.0
OR
oracleweblogic_serverMatch12.2.1.3.0
OR
oracleweblogic_serverMatch12.2.1.4.0
OR
oracleweblogic_serverMatch14.1.1.0.0
Node
apachebookkeeperRange<4.14.3
VendorProductVersionCPE
apachelog4j*cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
canonicalubuntu_linux18.04cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
opensuseleap15.1cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
netapponcommand_system_manager*cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*
netapponcommand_workflow_automation-cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
oracleapplication_testing_suite13.3.0.1cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
oraclecommunications_network_integrity*cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*
Rows per page:
1-10 of 271

CNA Affected

[
  {
    "product": "Log4j",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "versions up to 1.2.17"
      }
    ]
  }
]

References

Social References

More

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.806

Percentile

98.4%