CVE-2017-5645

Опубликовано: 17 апр. 2017

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Критический

Описание

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Ссылки

http://www.openwall.com/lists/oss-security/2019/12/19/2
Mailing List
Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Patch
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Patch
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Patch
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Patch
Third Party Advisory
http://www.securityfocus.com/bid/97702
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1040200
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1041294
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2017:1417
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1801
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1802
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2423
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2633
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2635
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2636
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2637
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2638
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2808
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2809
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2810
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*

Версия от 2.0 (включая) до 2.8.2 (исключая)

Конфигурация 2

Одно из

cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:autovue_vuelink_integration:21.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:autovue_vuelink_integration:21.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:bi_publisher:11.1.1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:bi_publisher:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:*

Версия от 6.0 (включая) до 6.2 (включая)

cpe:2.3:a:oracle:communications_messaging_server:*:*:*:*:*:*:*:*

Версия до 8.0.2 (исключая)

cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*

Версия от 7.3.2 (включая) до 7.3.6 (включая)

cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_pricing_design_center:11.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_pricing_design_center:12.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_service_broker:6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:*

Версия до 7.2 (исключая)

cpe:2.3:a:oracle:configuration_manager:12.1.2.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:configuration_manager:12.1.2.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:12.1.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:13.2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:*:*:*:*:*:*:*:*

Версия до 13.2.2.0.0 (включая)

cpe:2.3:a:oracle:enterprise_manager_for_oracle_database:12.1.0.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_oracle_database:13.2.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_peoplesoft:13.1.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_peoplesoft:13.2.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*

Версия от 7.3.3.0.0 (включая) до 7.3.3.0.2 (включая)

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*

Версия от 8.0.0.0.0 (включая) до 8.0.7.0.0 (включая)

cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*

Версия от 8.0.0.0.0 (включая) до 8.0.4.0.0 (включая)

cpe:2.3:a:oracle:financial_services_behavior_detection_platform:6.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:*

Версия от 14.1.0 (включая) до 14.8.0 (включая)

cpe:2.3:a:oracle:financial_services_lending_and_leasing:12.5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.0.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:*

Версия от 8.0.0.0.0 (включая) до 8.0.7.0.0 (включая)

cpe:2.3:a:oracle:financial_services_profitability_management:6.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_regulatory_reporting_with_agilereporter:8.0.9.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:goldengate:12.3.2.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:goldengate_application_adapters:12.3.2.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:identity_analytics:11.1.1.5.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:identity_management_suite:11.1.2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:identity_manager_connector:9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:in-memory_performance-driven_planning:12.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:in-memory_performance-driven_planning:12.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*

Версия от 17.1 (включая) до 17.3 (включая)

cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_policy_administration:10.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_policy_administration:10.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_policy_administration:10.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_policy_administration:11.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:4.0.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*

Версия от 3.4.0.0 (включая) до 3.4.7.4297 (включая)

cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*

Версия от 4.0.0.0 (включая) до 4.0.4.5235 (включая)

cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*

Версия от 8.0.0.0.0 (включая) до 8.0.0.8131 (включая)

cpe:2.3:a:oracle:peoplesoft_enterprise_fin_install:9.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.2.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.2.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.2.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.2.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.2.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.2.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.2.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.2.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:12.2.10:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:10.4.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.10:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*

Версия от 16.2.0 (включая) до 16.2.11 (включая)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*

Версия от 17.12.0 (включая) до 17.12.7 (включая)

cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_extract_transform_and_load:13.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_extract_transform_and_load:13.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_extract_transform_and_load:19.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_integration_bus:14.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_integration_bus:14.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:18.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:18.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:18.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:soa_suite:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:soa_suite:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:soa_suite:12.2.2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:timesten_in-memory_database:11.2.2.8.49:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_advanced_spatial_and_operational_analytics:2.7.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_work_and_asset_management:1.9.1.2.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.94013

Критический

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-502

Связанные уязвимости

CVE-2017-5645

CVSS3: 9.8

ubuntu

около 8 лет назад

CVE-2017-5645

CVSS3: 8.1

redhat

около 8 лет назад

CVE-2017-5645

CVSS3: 9.8

debian

около 8 лет назад

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or ...

GHSA-fxph-q3j8-mv87

CVSS3: 9.8

github

больше 5 лет назад

Deserialization of Untrusted Data in Log4j

ELSA-2017-2423

oracle-oval

почти 8 лет назад

ELSA-2017-2423: log4j security update (IMPORTANT)

EPSS

Процентиль: 100%

0.94013

Критический

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-502