CVE-2019-17571

Updated: 2023-11-07 20:11:52.269092

Description:

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x HIGH 7.5
CVSS Version 3.x CRITICAL 9.8

Status

OS name Project name Version Score Severity Status Errata Last updated
CentOS 6 ELS log4j 1.2.14 9.8 CRITICAL Released CLSA-2022:1655843011 2022-07-04 11:40:38
CloudLinux 6 ELS log4j 1.2.14 9.8 CRITICAL Released CLSA-2022:1655842928 2022-07-04 11:40:38
Oracle Linux 6 ELS log4j 1.2.14 9.8 CRITICAL Released CLSA-2022:1655842760 2022-06-21 17:41:33