CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2019-17571

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1840%
EPSS Percentile3.56th
Published2019年12月20日
Last Modified2026年5月28日

Vulnerability Description

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Affected Platforms (CPE)

📦
Apache

Log4j

<= 1.2.17
💻
Debian

Debian Linux

= 8.0
💻
Debian

Debian Linux

= 9.0
💻
Debian

Debian Linux

= 10.0
💻
Canonical

Ubuntu Linux

= 18.04
💻
Opensuse

Leap

= 15.1
📦
Netapp

Oncommand System Manager

>= 3.0 and <= 3.1.3
📦
Netapp

Oncommand Workflow Automation

All versions
📦
Oracle

Application Testing Suite

= 13.3.0.1
📦
Oracle

Communications Network Integrity

>= 7.3.2 and <= 7.3.6
📦
Oracle

Endeca Information Discovery Studio

= 3.2.0
📦
Oracle

Financial Services Lending And Leasing

>= 14.1.0 and <= 14.8.0
📦
Oracle

Financial Services Lending And Leasing

= 12.5.0
📦
Oracle

Mysql Enterprise Monitor

<= 8.0.29
📦
Oracle

Primavera Gateway

>= 16.2 and <= 16.2.11
📦
Oracle

Primavera Gateway

>= 17.12.0 and <= 17.12.7
📦
Oracle

Rapid Planning

= 12.1
📦
Oracle

Rapid Planning

= 12.2
📦
Oracle

Retail Extract Transform And Load

= 19.0
📦
Oracle

Retail Service Backbone

= 14.1
📦
Oracle

Retail Service Backbone

= 15.0
📦
Oracle

Retail Service Backbone

= 16.0
📦
Oracle

Weblogic Server

= 10.3.6.0.0
📦
Oracle

Weblogic Server

= 12.1.3.0.0
📦
Oracle

Weblogic Server

= 12.2.1.3.0
📦
Oracle

Weblogic Server

= 12.2.1.4.0
📦
Oracle

Weblogic Server

= 14.1.1.0.0
📦
Apache

Bookkeeper

< 4.14.3

References & Advisories

🔗 http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html
🔗 https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3Cdev.tika.apache.org%3E
🔗 https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3Cdev.tika.apache.org%3E
🔗 https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3Cdev.tika.apache.org%3E
🔗 https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4%40%3Cjira.kafka.apache.org%3E
🔗 https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3Cissues.activemq.apache.org%3E
🔗 https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d%40%3Cdev.kafka.apache.org%3E
🔗 https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3Cissues.activemq.apache.org%3E

相關漏洞威脅

CVE-2021-4422810.0

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration...

CVE-2021-445309.8

An injection vulnerability exists in a third-party library used in UniFi Network Version 6.5.53 and earlier (Log4J CVE-2021-44228)...

CVE-2019-175319.8

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (eith...

CVE-2017-56459.8

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from anot...