Correction: Log4j versions up to 1.2.17 are affected. The ".27" was a typo.
On Wed, 18 Dec 2019 at 21:20, Matt Sicker <mattsic...@apache.org> wrote: > > CVE-2019-17571: Deserialization of untrusted data in SocketServer > > Severity: Critical > CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:W > > Product: > Apache Log4j > > Versions Affected: > Apache Log4j up to and including 1.2.27. Separately fixed by > CVE-2017-5645 in Log4j 2.8.2. > > Problem type: > CWE-502: Deserialization of Untrusted Data > > Description: > > Included in Log4j 1.2 is a SocketServer class that is vulnerable to > deserialization of untrusted data which can be exploited to remotely > execute arbitrary code when combined with a deserialization gadget > when listening to untrusted network traffic for log data. > > Mitigation: > > Apache Log4j 1.2 reached end of life in August 2015. Users should > upgrade to Log4j 2.x which both addresses that vulnerability as well > as numerous other issues in the previous versions. > > Credit: > > This issue was initially discovered in CVE-2017-5645 by Marcio Almeida > de Macedo of Red Team at Telstra. > > Links: > > https://logging.apache.org/log4j/1.2/ > https://issues.apache.org/jira/browse/LOG4J2-1863 > > -- > Matt Sicker > Secretary, Apache Software Foundation > VP Logging Services, ASF -- Matt Sicker Secretary, Apache Software Foundation VP Logging Services, ASF
