Apache Log4j socket receiver deserialization vulnerability

Description
  • Apache Log4j is a Java-based logging utility. When Apache Log4j is using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

    Apache Log4j Versions Affected: all versions from 2.0-alpha1 to 2.8.1.
Remediation
  • Upgrade to the latest version of Apache Log4j. This vulnerability was fixes in Apache Log4j version 2.8.2.
References