Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-5645

Опубликовано: 02 апр. 2017
Источник: redhat
CVSS3: 8.1
EPSS Критический

Описание

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.

Отчет

The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat AMQ Broker 7hawtio-osgiAffected
Red Hat Enterprise Linux 5log4jWill not fix
Red Hat Enterprise Linux 6log4jWill not fix
Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Toolslog4jNot affected
Red Hat Enterprise Virtualization 3jasperreports-server-proWill not fix
Red Hat Fuse 7log4jAffected
Red Hat JBoss A-MQ 6log4jAffected
Red Hat JBoss BRMS 5log4jWill not fix
Red Hat JBoss Data Grid 7log4j-coreAffected
Red Hat JBoss Data Virtualization 6log4jNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1443635log4j: Socket receiver deserialization vulnerability

EPSS

Процентиль: 100%
0.94013
Критический

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-5645

CVSS3: 9.8
ubuntu
около 8 лет назад

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

nvd логотип

CVE-2017-5645

CVSS3: 9.8
nvd
около 8 лет назад

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

debian логотип

CVE-2017-5645

CVSS3: 9.8
debian
около 8 лет назад

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or ...

github логотип

GHSA-fxph-q3j8-mv87

CVSS3: 9.8
github
больше 5 лет назад

Deserialization of Untrusted Data in Log4j

oracle-oval логотип

ELSA-2017-2423

oracle-oval
почти 8 лет назад

ELSA-2017-2423: log4j security update (IMPORTANT)

EPSS

Процентиль: 100%
0.94013
Критический

8.1 High

CVSS3

Уязвимость CVE-2017-5645