Description

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Remediation

References

CVE-2017-5645

Related Vulnerabilities

Resin Application Server Improper Input Validation Vulnerability (CVE-2012-2965)

WordPress Plugin YITH Maintenance Mode Multiple Cross-Site Scripting Vulnerabilities (1.3.8)

WordPress Plugin 404 SEO Redirection Cross-Site Scripting (1.3)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2010-1614)

Jenkins Deserialization of Untrusted Data Vulnerability (CVE-2022-0538)

Severity

Critical

Classification

CVE-2017-5645 CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities