Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Base score: 9.8 Exploit score: 3.9 Impact score: 5.9
Base Score (vectoral): CVSS:3.1 - AV:N - AC:L - PR:N - UI:N - S:U - C:H - I:H - A:H
Base score: 7.5 Exploit score: 10 Impact score: 6.4
Base Score (vectoral): CVSS:2.0 - AV:N - AC:L - Au:N - C:P - I:P - A:P
Last Modified: Dec 14, 2022
cpe:2.3:a:apache:bookkeeper:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_lending_and_leasing:12.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_extract_transform_and_load:19.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
[MLIST] [tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
[MLIST] [tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
[MLIST] [tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
[MLIST] [tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
[CONFIRM] https://security.netapp.com/advisory/ntap-20200110-0001/
[MLIST] [tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
[MLIST] [debian-lts-announce] 20200112 [SECURITY] [DLA 2065-1] apache-log4j1.2 security update
[MLIST] [tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
[MLIST] [tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
[MLIST] [zookeeper-dev] 20200118 Build failed in Jenkins: zookeeper-master-maven-owasp #329
[MLIST] [zookeeper-user] 20200201 Re: Zookeeper 3.5.6 supports log4j 2.x?
[MLIST] [jena-dev] 20200318 Re: Logging (JENA-1005)
[MISC] https://www.oracle.com/security-alerts/cpujul2020.html
[MLIST] [kafka-users] 20210210 Security: CVE-2019-17571 (log4j)
[MLIST] [activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs
[MLIST] [activemq-users] 20210427 Re: Release date for ActiveMQ v5.16.2 to fix CVEs
[MLIST] [kafka-dev] 20210611 Re: [DISCUSS] KIP-719: Add Log4J2 Appender
[MISC] https://www.oracle.com/security-alerts/cpuApr2021.html
[MLIST] [kafka-users] 20210617 vulnerabilities
[MLIST] [activemq-users] 20210830 Security issues
[MLIST] [activemq-users] 20210831 RE: Security issues
[MLIST] [kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
[MLIST] [kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
[MISC] https://www.oracle.com/security-alerts/cpuapr2022.html