Description

Apache Log4j is a Java-based logging utility. When Apache Log4j is using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Apache Log4j Versions Affected: all versions from 2.0-alpha1 to 2.8.1.

Remediation

Upgrade to the latest version of Apache Log4j. This vulnerability was fixes in Apache Log4j version 2.8.2.

References

CVE-2017-5645: Apache Log4j socket receiver deserialization vulnerability

Related Vulnerabilities

Drupal Core 4.7.x Arbitrary Code Execution (4.7.0)

WordPress Plugin Global Content Blocks PHP Code Execution and Information Disclosure Vulnerabilities (1.5.1)

PHP eval() used on user input

Bash code injection vulnerability

Drupal Core 4.7.x Arbitrary Code Execution (4.7.0 - 4.7.5)

Severity

Critical

Classification

CVE-2017-5645 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Insecure Deserialization Acumonitor