#VU12127 Deserialization of untrusted data in Apache Log4j


Published: 2018-04-24

Vulnerability identifier: #VU12127

Vulnerability risk: High

CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5645

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Log4j
Universal components / Libraries / Libraries used by multiple products

Vendor: Apache Foundation

Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists receiving serialized log events from another application when using the TCP socket server or UDP socket server. A remote attacker can submit a specially crafted binary payload, when deserialized, and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Update to version 2.8.2.

Vulnerable software versions

Apache Log4j: 2.0 - 2.8.1

External links
http://issues.apache.org/jira/browse/LOG4J2-1863

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Application Performance Management products
Amazon Linux AMI update for log4j
Deserialization of untrusted data in Identity Manager Connector
Multiple vulnerabilities in Oracle Financial Services Regulatory Reporting with AgileREPORTER
Multiple vulnerabilities in Oracle TimesTen In-Memory Database
Multiple vulnerabilities in Oracle Endeca Information Discovery Studio
Multiple vulnerabilities in Oracle WebLogic Server
Multiple vulnerabilities in Oracle Financial Services Lending and Leasing
Multiple vulnerabilities in Oracle Application Testing Suite
Multiple vulnerabilities in Primavera Gateway