Description
Apache Log4j is a Java-based logging utility. When Apache Log4j is using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Apache Log4j Versions Affected: all versions from 2.0-alpha1 to 2.8.1.
Remediation
Upgrade to the latest version of Apache Log4j. This vulnerability was fixes in Apache Log4j version 2.8.2.
References
Related Vulnerabilities
Apache HTTP Server Insecure Path Normalization (CVE-2021-41773, CVE-2021-42013)
Drupal Core 6.x Remote Code Execution (6.0 - 6.38)
Oracle Sun GlassFish/Java System Application Server Remote Authentication Bypass Vulnerability
JBoss Seam framework remote code execution
WordPress Plugin Gutenberg Block Editor Toolkit-EditorsKit Remote Code Execution (1.31.5)