Correction: Log4j versions up to 1.2.17 are affected. The ".27" was a typo.
On Wed, 18 Dec 2019 at 21:20, Matt Sicker wrote:
>
> CVE-2019-17571: Deserialization of untrusted data in SocketServer
>
> Severity: Critical
> CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:W
>
> Product:
> Apache Log4j
CVE-2019-17571: Deserialization of untrusted data in SocketServer
Severity: Critical
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:W
Product:
Apache Log4j
Versions Affected:
Apache Log4j up to and including 1.2.27. Separately fixed by
CVE-2017-5645 in Log4j 2.8.2.
Problem type:
CWE-502: Deser
