Updated: 2023-11-07 20:11:52.269092
Description:
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | HIGH | 7.5 |
CVSS Version 3.x | CRITICAL | 9.8 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated |
---|---|---|---|---|---|---|---|
CentOS 6 ELS | log4j | 1.2.14 | 9.8 | CRITICAL | Released | CLSA-2022:1655843011 | 2022-07-04 11:40:38 |
CloudLinux 6 ELS | log4j | 1.2.14 | 9.8 | CRITICAL | Released | CLSA-2022:1655842928 | 2022-07-04 11:40:38 |
Oracle Linux 6 ELS | log4j | 1.2.14 | 9.8 | CRITICAL | Released | CLSA-2022:1655842760 | 2022-06-21 17:41:33 |