Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2021-01051

Опубликовано: 17 апр. 2017
Источник: fstec
CVSS3: 9.8
CVSS2: 10
EPSS Критический

Описание

Уязвимость библиотеки журналирования Java-программ Log4j связана с восстановлением в памяти недостоверных данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код

Вендор

Oracle Corp.
Apache Software Foundation

Наименование ПО

WebLogic Server
Enterprise Manager Ops Center
Enterprise Repository
Retail Back Office
Retail Central Office
Retail Returns Management
Retail Point-of-Service
JD Edwards EnterpriseOne Tools
Managed File Transfer
Oracle Endeca Information Discovery Integrator
Oracle JDeveloper
Oracle Retail Invoice Matching
Oracle Retail Order Broker
Instantis EnterpriseTrack
Communications WebRTC Session Controller
Endeca Server
JD Edwards World Security
Utilities Framework
Application Testing Suite
Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder
Oracle Endeca Information Discovery Studio
Communications Online Mediation Controller
Retail Integration Bus
Communications Converged Application Server
Oracle Communications Service Broker
Primavera Gateway
Oracle Big Data Discovery
Identity Manager Connector
Retail Advanced Inventory Planning
MICROS Lucas
Tape Library ACSLS
Oracle Retail Service Backbone
Rapid Planning
Oracle FLEXCUBE Investor Servicing
Oracle FLEXCUBE Private Banking
Oracle Communications Network Integrity
Oracle Financial Services Lending and Leasing
Oracle Retail Extract Transform and Load
Communications Diameter Signaling Router
FLEXCUBE Core Banking
Oracle TimesTen In-Memory Database
Oracle Communications ASAP
Log4j
Oracle Communications Pricing Design Center
Oracle GoldenGate Application Adapters
Financial Services Compliance Regulatory Reporting
Oracle Communications Unified Inventory Management
Retail Xstore Point of Service

Версия ПО

10.3.6.0 (WebLogic Server)
12.1.3.0 (WebLogic Server)
10.3.6.0.0 (WebLogic Server)
12.1.3.0.0 (WebLogic Server)
12.2.2 (Enterprise Manager Ops Center)
12.3.3 (Enterprise Manager Ops Center)
11.1.1.7.0 (Enterprise Repository)
12.1.3.0.0 (Enterprise Repository)
14.0 (Retail Back Office)
14.1 (Retail Back Office)
14.0 (Retail Central Office)
14.1 (Retail Central Office)
14.0 (Retail Returns Management)
14.1 (Retail Returns Management)
14.0 (Retail Point-of-Service)
14.1 (Retail Point-of-Service)
12.2.1.2 (WebLogic Server)
9.2 (JD Edwards EnterpriseOne Tools)
12.2.1.3 (WebLogic Server)
12.2.1.3.0 (Managed File Transfer)
3.2.0 (Oracle Endeca Information Discovery Integrator)
3.1.0 (Oracle Endeca Information Discovery Integrator)
12.2.1.3.0 (WebLogic Server)
12.1.3.0.0 (Oracle JDeveloper)
12.2.1.3.0 (Oracle JDeveloper)
12.0 (Oracle Retail Invoice Matching)
13.0 (Oracle Retail Invoice Matching)
13.1 (Oracle Retail Invoice Matching)
13.2 (Oracle Retail Invoice Matching)
14.0 (Oracle Retail Invoice Matching)
14.1 (Oracle Retail Invoice Matching)
5.1 (Oracle Retail Order Broker)
5.2 (Oracle Retail Order Broker)
15.0 (Oracle Retail Order Broker)
16.0 (Oracle Retail Order Broker)
17.1 (Instantis EnterpriseTrack)
17.2 (Instantis EnterpriseTrack)
17.3 (Instantis EnterpriseTrack)
12.1.3.0.0 (Managed File Transfer)
до 7.2 (Communications WebRTC Session Controller)
7.7.0 (Endeca Server)
A9.3 (JD Edwards World Security)
A9.4 (JD Edwards World Security)
4.4.0.0.0 (Utilities Framework)
4.3.0.2.0 (Utilities Framework)
4.2.0.3.0 (Utilities Framework)
4.2.0.2.0 (Utilities Framework)
13.3.0.1 (Application Testing Suite)
12.2.1.4.0 (WebLogic Server)
12.5.0.3 (Application Testing Suite)
13.1.0.1 (Application Testing Suite)
13.2.0.1 (Application Testing Suite)
10.0.1.3.0 (Communications Instant Messaging Server)
6.0 (Oracle Communications Interactive Session Recorder)
6.1 (Oracle Communications Interactive Session Recorder)
6.2 (Oracle Communications Interactive Session Recorder)
3.2.0 (Oracle Endeca Information Discovery Studio)
6.1 (Communications Online Mediation Controller)
15.0 (Retail Integration Bus)
16.0 (Retail Integration Bus)
6.1 (Communications Converged Application Server)
6.0 (Oracle Communications Service Broker)
от 16.2.0 до 16.2.11 включительно (Primavera Gateway)
1.6 (Oracle Big Data Discovery)
9.0 (Identity Manager Connector)
15.0 (Retail Advanced Inventory Planning)
2.9.5 (MICROS Lucas)
14.1.0 (Retail Integration Bus)
8.4 (Tape Library ACSLS)
15.0 (Oracle Retail Service Backbone)
16.0 (Oracle Retail Service Backbone)
12.1 (Rapid Planning)
12.2 (Rapid Planning)
14.1.1.0.0 (WebLogic Server)
12.1.0 (Oracle FLEXCUBE Investor Servicing)
12.3.0 (Oracle FLEXCUBE Investor Servicing)
12.4.0 (Oracle FLEXCUBE Investor Servicing)
14.0.0 (Oracle FLEXCUBE Investor Servicing)
12.0.0 (Oracle FLEXCUBE Private Banking)
12.1.0 (Oracle FLEXCUBE Private Banking)
от 17.12.0 до 17.12.7 включительно (Primavera Gateway)
от 7.3.2 до 7.3.6включительно (Oracle Communications Network Integrity)
12.5.0 (Oracle Financial Services Lending and Leasing)
от 14.1.0 до 14.8.0 включительно (Oracle Financial Services Lending and Leasing)
19.0 (Oracle Retail Extract Transform and Load)
14.1 (Oracle Retail Service Backbone)
16.0 (Oracle Retail Invoice Matching)
от 8.0.0 до 8.2.2 включительно (Communications Diameter Signaling Router)
2.2.0.0.0 (Utilities Framework)
от 4.3.0.1.0 до 4.3.0.6.0 включительно (Utilities Framework)
от 11.5.0 до 11.7.0 включительно (FLEXCUBE Core Banking)
4.4.0.2.0 (Utilities Framework)
11.1.1.9.0 (Oracle JDeveloper)
до 11.2.2.8.49 включительно (Oracle TimesTen In-Memory Database)
14.1 (Retail Advanced Inventory Planning)
7.3 (Oracle Communications ASAP)
13.2.5 (Oracle Retail Extract Transform and Load)
13.2.8 (Oracle Retail Extract Transform and Load)
от 2.0 до 2.8.2 (Log4j)
11.1 (Oracle Communications Pricing Design Center)
12.0 (Oracle Communications Pricing Design Center)
4.0.1.0 (JD Edwards EnterpriseOne Tools)
12.0.4 (Oracle FLEXCUBE Investor Servicing)
12.3.2.1.1 (Oracle GoldenGate Application Adapters)
8.0.9.2.0 (Financial Services Compliance Regulatory Reporting)
до 7.4 включительно (Oracle Communications Unified Inventory Management)
12.2.1.2.0 (Managed File Transfer)
A9.2 (JD Edwards World Security)
13.2 (Retail Advanced Inventory Planning)
13.4 (Retail Advanced Inventory Planning)
14.0.4 (Retail Central Office)
14.1.3 (Retail Central Office)
14.1.3 (Retail Back Office)
14.0.4 (Retail Back Office)
15.0 (Oracle Retail Invoice Matching)
5.0 (Oracle Retail Order Broker)
14.0.4 (Retail Point-of-Service)
14.1.3 (Retail Point-of-Service)
2.3.8 (Retail Returns Management)
2.4.9 (Retail Returns Management)
14.0.4 (Retail Returns Management)
14.1.3 (Retail Returns Management)
6.0.11 (Retail Xstore Point of Service)
7.0.6 (Retail Xstore Point of Service)
7.1.6 (Retail Xstore Point of Service)
15.0.1 (Retail Xstore Point of Service)

Тип ПО

Сетевое программное средство
Прикладное ПО информационных систем
ПО сетевого программно-аппаратного средства
СУБД

Операционные системы и аппаратные платформы

-

Уровень опасности уязвимости

Критический уровень опасности (базовая оценка CVSS 2.0 составляет 10)
Критический уровень опасности (базовая оценка CVSS 3.0 составляет 9,8)

Возможные меры по устранению уязвимости

Использование рекомендаций:
Для Apache Log4j:
https://issues.apache.org/jira/browse/LOG4J2-1863
Для программных продуктов Oracle Corp.:
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 100%
0.94013
Критический

9.8 Critical

CVSS3

10 Critical

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2017-5645

CVSS3: 9.8
ubuntu
около 8 лет назад

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

redhat логотип

CVE-2017-5645

CVSS3: 8.1
redhat
около 8 лет назад

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

nvd логотип

CVE-2017-5645

CVSS3: 9.8
nvd
около 8 лет назад

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

debian логотип

CVE-2017-5645

CVSS3: 9.8
debian
около 8 лет назад

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or ...

github логотип

GHSA-fxph-q3j8-mv87

CVSS3: 9.8
github
больше 5 лет назад

Deserialization of Untrusted Data in Log4j

EPSS

Процентиль: 100%
0.94013
Критический

9.8 Critical

CVSS3

10 Critical

CVSS2