CVE-2019-17571

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

References

https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://security.netapp.com/advisory/ntap-20200110-0001/

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Clog4j-user.logging.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.jena.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.druid.apache.org%3E

https://www.oracle.com/security-alerts/cpuapr2020.html

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://www.debian.org/security/2020/dsa-4686

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://www.oracle.com/security-alerts/cpujul2020.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommon-dev.hadoop.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E

https://usn.ubuntu.com/4495-1/

https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.mina.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tinkerpop.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.kafka.apache.org%3E

https://www.oracle.com/security-alerts/cpuApr2021.html

https://lists.apache.org/thread.html/[email protected]%3Cusers.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cpluto-scm.portals.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cpluto-dev.portals.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommon-issues.hadoop.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.bookkeeper.apache.org%3E

Details

Source: MITRE

Published: 2019-12-20

Updated: 2021-10-18

Type: CWE-502

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* versions up to 1.2.17 (inclusive)

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Configuration 4

OR

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from 3.0 to 3.1.3 (inclusive)

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:* versions from 7.3.2 to 7.3.6 (inclusive)

cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_lending_and_leasing:12.5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:* versions from 14.1.0 to 14.8.0 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 16.2 to 16.2.11 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 17.12.0 to 17.12.7 (inclusive)

cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_extract_transform_and_load:19.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

Tenable Plugins

View all (13 total)

IDNameProductFamilySeverity
150590SUSE SLES11 Security Update : log4j (SUSE-SU-2020:14267-1)NessusSuSE Local Security Checks
critical
140591Ubuntu 18.04 LTS : Apache Log4j vulnerability (USN-4495-1)NessusUbuntu Local Security Checks
critical
136675Debian DSA-4686-1 : apache-log4j1.2 - security updateNessusDebian Local Security Checks
critical
135680Oracle WebLogic Server Multiple Vulnerabilities (Apr 2020 CPU)NessusMisc.
critical
132915openSUSE Security Update : log4j (openSUSE-2020-51)NessusSuSE Local Security Checks
critical
132777Debian DLA-2065-1 : apache-log4j1.2 security updateNessusDebian Local Security Checks
critical
112177RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 1 (RHSA-2017:1801)NessusRed Hat Local Security Checks
critical
105209RHEL 6 : JBoss EAP (RHSA-2017:3399)NessusRed Hat Local Security Checks
critical
103500RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2017:2811)NessusRed Hat Local Security Checks
critical
103044RHEL 6 : jboss-ec2-eap (RHSA-2017:2638)NessusRed Hat Local Security Checks
critical
102878CentOS 7 : log4j (CESA-2017:2423)NessusCentOS Local Security Checks
critical
102348RHEL 7 : log4j (RHSA-2017:2423)NessusRed Hat Local Security Checks
critical
102345Oracle Linux 7 : log4j (ELSA-2017-2423)NessusOracle Linux Local Security Checks
critical