CVE-2019-17571

About vulnerability

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Affected product:

Apache Commons , Apache Hadoop , Apache Hive , Apache Kafka , Apache Spark , CentOS 6 ELS , CloudLinux 6 ELS , Eclipse Jetty , Hibernate , Logback , Oracle Linux 6 ELS , Plexus , Reload4j , Spring , accumulo , activeio-core , activemq , agepredictor , ant , apache-log4j-extras , avro , bookkeeper-common-allocator , bookkeeper-server , castor , cocoon , core , cxf , dropwizard-metrics-hadoop-metrics2-reporter , elasticsearch , flume-ng-core , geronimo-xbean , gradle , hbase , incubator-retired-slider , jgit , karaf , logging-flume , lucene , maven , org.ops4j.pax.logging , sisu , slf4j , slider-core , tika , zkclient , zookeeper

Affected packages:

cxf-services-sts-systests-advanced @ 2.7.18 (+2060 more)

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.