Description

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Remediation

References

CVE-2017-5645

Related Vulnerabilities

Apache Tomcat Improper Input Validation Vulnerability (CVE-2016-6816)

Moodle Improper Access Control Vulnerability (CVE-2016-8642)

Python Uncontrolled Search Path Element Vulnerability (CVE-2017-20052)

Drupal Core 4.5.x Mail Header Injection (4.5.0 - 4.5.7)

WordPress Plugin Social Login by BestWebSoft Cross-Site Scripting (0.1)

Severity

Critical

Classification

CVE-2017-5645 CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities