CVE-2017-5645
CRITICAL9.8EPSS 94.0%Deserialization of Untrusted Data in Log4j
Published: 1/6/2020Modified: 3/14/2024
Description
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Affected packages (3)
- Debian/apache-log4j2from 0, < 2.7-2
- Maven/org.apache.logging.log4j:log4j>= 2.0, < 2.8.2
- Maven/org.apache.logging.log4j:log4j-core>= 2.0, < 2.8.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (85)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-5645
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-5645
- PATCHhttps://github.com/apache/logging-log4j2
- WEBhttps://access.redhat.com/errata/RHSA-2017:1417
- WEBhttps://access.redhat.com/errata/RHSA-2017:1801
- WEBhttps://access.redhat.com/errata/RHSA-2017:1802
- WEBhttps://access.redhat.com/errata/RHSA-2017:2423
- WEBhttps://access.redhat.com/errata/RHSA-2017:2633
- WEBhttps://access.redhat.com/errata/RHSA-2017:2635
- WEBhttps://access.redhat.com/errata/RHSA-2017:2636
- WEBhttps://access.redhat.com/errata/RHSA-2017:2637
- WEBhttps://access.redhat.com/errata/RHSA-2017:2638
- WEBhttps://access.redhat.com/errata/RHSA-2017:2808
- WEBhttps://access.redhat.com/errata/RHSA-2017:2809
- WEBhttps://access.redhat.com/errata/RHSA-2017:2810
- WEBhttps://access.redhat.com/errata/RHSA-2017:2811
- WEBhttps://access.redhat.com/errata/RHSA-2017:2888
- WEBhttps://access.redhat.com/errata/RHSA-2017:2889
- WEBhttps://access.redhat.com/errata/RHSA-2017:3244
- WEBhttps://access.redhat.com/errata/RHSA-2017:3399
- WEBhttps://access.redhat.com/errata/RHSA-2017:3400
- WEBhttps://access.redhat.com/errata/RHSA-2019:1545
- WEBhttps://issues.apache.org/jira/browse/LOG4J2-1863
- WEBhttps://lists.apache.org/thread.html/0dcca05274d20ef2d72584edcf8c917bbb13dbbd7eb35cae909d02e9@%3Cdev.logging.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1@%3Cdev.tika.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c@%3Cdev.tika.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6@%3Cdev.tika.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c@%3Cissues.activemq.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917@%3Cannounce.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac@%3Cissues.activemq.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/e8fb7d76a244ee997ba4b217d6171227f7c2521af8c7c5b16cba27bc@%3Cdev.logging.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125@%3Cdev.logging.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r0831e2e52a390758ce39a6193f82c11c295175adce6e6307de28c287@%3Cissues.beam.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c@%3Cissues.activemq.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r23369fd603eb6d62d3b883a0a28d12052dcbd1d6d531137124cd7f83@%3Cgithub.beam.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3@%3Cissues.activemq.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211@%3Cissues.activemq.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397@%3Cissues.activemq.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8@%3Cdev.tika.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3Cissues.activemq.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad@%3Cdev.tika.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78@%3Cissues.activemq.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1@%3Cdev.tika.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5@%3Cdev.tika.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826@%3Cissues.activemq.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r94b5aae09c4bcff5d06cf641be17b00bd83ba7e10cad737bf16a1b8f@%3Cgithub.beam.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r9d5c1b558a15d374bd5abd2d3ae3ca7e50e796a0efdcf91e9c5b4cdd@%3Cgithub.beam.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60@%3Cdev.tika.apache.org%3E
- … 35 more