CyberSec.Space Logo
Back to CVE Browser

CVE-2019-17571

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1840%
EPSS Percentile3.56th
PublishedDec 20, 2019
Last ModifiedMay 28, 2026

Vulnerability Description

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Affected Platforms (CPE)

πŸ“¦
Apache

Log4j

<= 1.2.17
πŸ’»
Debian

Debian Linux

= 8.0
πŸ’»
Debian

Debian Linux

= 9.0
πŸ’»
Debian

Debian Linux

= 10.0
πŸ’»
Canonical

Ubuntu Linux

= 18.04
πŸ’»
Opensuse

Leap

= 15.1
πŸ“¦
Netapp

Oncommand System Manager

>= 3.0 and <= 3.1.3
πŸ“¦
Netapp

Oncommand Workflow Automation

All versions
πŸ“¦
Oracle

Application Testing Suite

= 13.3.0.1
πŸ“¦
Oracle

Communications Network Integrity

>= 7.3.2 and <= 7.3.6
πŸ“¦
Oracle

Endeca Information Discovery Studio

= 3.2.0
πŸ“¦
Oracle

Financial Services Lending And Leasing

>= 14.1.0 and <= 14.8.0
πŸ“¦
Oracle

Financial Services Lending And Leasing

= 12.5.0
πŸ“¦
Oracle

Mysql Enterprise Monitor

<= 8.0.29
πŸ“¦
Oracle

Primavera Gateway

>= 16.2 and <= 16.2.11
πŸ“¦
Oracle

Primavera Gateway

>= 17.12.0 and <= 17.12.7
πŸ“¦
Oracle

Rapid Planning

= 12.1
πŸ“¦
Oracle

Rapid Planning

= 12.2
πŸ“¦
Oracle

Retail Extract Transform And Load

= 19.0
πŸ“¦
Oracle

Retail Service Backbone

= 14.1
πŸ“¦
Oracle

Retail Service Backbone

= 15.0
πŸ“¦
Oracle

Retail Service Backbone

= 16.0
πŸ“¦
Oracle

Weblogic Server

= 10.3.6.0.0
πŸ“¦
Oracle

Weblogic Server

= 12.1.3.0.0
πŸ“¦
Oracle

Weblogic Server

= 12.2.1.3.0
πŸ“¦
Oracle

Weblogic Server

= 12.2.1.4.0
πŸ“¦
Oracle

Weblogic Server

= 14.1.1.0.0
πŸ“¦
Apache

Bookkeeper

< 4.14.3

References & Advisories

πŸ”— http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html
πŸ”— https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3Cdev.tika.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3Cdev.tika.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3Cdev.tika.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4%40%3Cjira.kafka.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3Cissues.activemq.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d%40%3Cdev.kafka.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3Cissues.activemq.apache.org%3E

Related Vulnerabilities

CVE-2021-4422810.0

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration...

CVE-2021-445309.8

An injection vulnerability exists in a third-party library used in UniFi Network Version 6.5.53 and earlier (Log4J CVE-2021-44228)...

CVE-2019-175319.8

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (eith...

CVE-2017-56459.8

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from anot...