critical
9.8
CWE
502
Advisory Published
Advisory Published
Updated

CVE-2019-17571

First published: Fri Dec 20 2019(Updated: )

A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.

Credit: security@apache.org security@apache.org

Affected SoftwareAffected VersionHow to fix
maven/org.zenframework.z8.dependencies.commons:log4j-1.2.17=2.0
maven/log4j:log4j>=1.2<=1.2.17
debian/apache-log4j1.2<=1.2.17-5<=1.2.17-7<=1.2.17-8
1.2.17-9
1.2.17-8+deb10u1
1.2.17-7+deb9u1
redhat/log4j<0:1.2.14-6.7.el6_10
0:1.2.14-6.7.el6_10
redhat/log4j<0:1.2.17-16.el7_4
0:1.2.17-16.el7_4
redhat/log4j<0:1.2.14-19.patch_01.ep5.el5
0:1.2.14-19.patch_01.ep5.el5
redhat/log4j<0:1.2.14-19.patch_01.ep5.el6
0:1.2.14-19.patch_01.ep5.el6
redhat/jboss-ec2-eap<0:7.5.17-1.Final_redhat_4.ep6.el6
0:7.5.17-1.Final_redhat_4.ep6.el6
redhat/eap7-jboss-ec2-eap<0:7.0.8-1.GA_redhat_1.ep7.el6
0:7.0.8-1.GA_redhat_1.ep7.el6
redhat/eap7-jboss-ec2-eap<0:7.0.8-1.GA_redhat_1.ep7.el7
0:7.0.8-1.GA_redhat_1.ep7.el7
redhat/log4j-eap6<0:1.2.16-12.redhat_3.1.ep6.el6
0:1.2.16-12.redhat_3.1.ep6.el6
redhat/tomcat7<0:7.0.70-22.ep7.el6
0:7.0.70-22.ep7.el6
redhat/tomcat8<0:8.0.36-24.ep7.el6
0:8.0.36-24.ep7.el6
redhat/tomcat-native<0:1.2.8-10.redhat_10.ep7.el6
0:1.2.8-10.redhat_10.ep7.el6
redhat/log4j-eap6<0:1.2.16-12.redhat_3.1.ep6.el7
0:1.2.16-12.redhat_3.1.ep6.el7
redhat/tomcat7<0:7.0.70-22.ep7.el7
0:7.0.70-22.ep7.el7
redhat/tomcat8<0:8.0.36-24.ep7.el7
0:8.0.36-24.ep7.el7
redhat/tomcat-native<0:1.2.8-10.redhat_10.ep7.el7
0:1.2.8-10.redhat_10.ep7.el7
IBM QRadar SIEM<=7.5 - 7.5.0 UP7
debian/apache-log4j1.2
1.2.17-8+deb10u2
1.2.17-8+deb10u1
1.2.17-10+deb11u1
1.2.17-11
redhat/log4j<2.8.2
2.8.2
ubuntu/apache-log4j1.2<1.2.17-8+
1.2.17-8+
ubuntu/apache-log4j1.2<1.2.17-7ubuntu1+
1.2.17-7ubuntu1+
Apache Log4j<=1.2.17
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Canonical Ubuntu Linux=18.04
openSUSE Leap=15.1
NetApp OnCommand System Manager>=3.0<=3.1.3
NetApp OnCommand Workflow Automation
Oracle Application Testing Suite=13.3.0.1
Oracle Communications Network Integrity>=7.3.2<=7.3.6
Oracle Endeca Information Discovery Studio=3.2.0
Oracle Financial Services Lending And Leasing>=14.1.0<=14.8.0
Oracle Financial Services Lending And Leasing=12.5.0
Oracle Mysql Enterprise Monitor<=8.0.29
Oracle Primavera Gateway>=16.2<=16.2.11
Oracle Primavera Gateway>=17.12.0<=17.12.7
Oracle Rapid Planning=12.1
Oracle Rapid Planning=12.2
Oracle Retail Extract Transform And Load=19.0
Oracle Retail Service Backbone=14.1
Oracle Retail Service Backbone=15.0
Oracle Retail Service Backbone=16.0
Oracle WebLogic Server=10.3.6.0.0
Oracle WebLogic Server=12.1.3.0.0
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
Apache Bookkeeper<4.14.3

Remedy

https://www.oracle.com/security-alerts/cpuApr2021.html

Remedy

https://www.oracle.com/security-alerts/cpuapr2022.html

Remedy

https://www.oracle.com/security-alerts/cpujul2022.html

Remedy

https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E

Remedy

https://lists.apache.org/thread.html/rb3c94619728c8f8c176d8e175e0a1086ca737ecdfcd5a2214bb768bc@%3Ccommits.bookkeeper.apache.org%3E

Remedy

https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E

Remedy

https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E

Remedy

https://lists.apache.org/thread.html/reaf6b996f74f12b4557bc221abe88f58270ac583942fa41293c61f94@%3Cpluto-scm.portals.apache.org%3E

Remedy

https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E

Remedy

Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this: log4j.appender.file.layout=org.apache.log4j.JsonLayout

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2019-17571?

    CVE-2019-17571 is a vulnerability in Log4j where a vulnerable SocketServer class may lead to the deserialization of untrusted data, allowing remote code execution.

  • What is the severity of CVE-2019-17571?

    CVE-2019-17571 has a severity value of 9, which is considered critical.

  • How does CVE-2019-17571 affect Log4j?

    CVE-2019-17571 affects Log4j versions up to 1.2, allowing for remote code execution.

  • What is the recommended remedy for CVE-2019-17571?

    The recommended remedy for CVE-2019-17571 is to update Log4j to version 1.2.14-6.7.el6_10 or higher.

  • Where can I find more information about CVE-2019-17571?

    You can find more information about CVE-2019-17571 at the following sources: [CVE](https://www.cve.org/CVERecord?id=CVE-2019-17571), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-17571), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1785616), [Red Hat Advisory](https://access.redhat.com/errata/RHSA-2022:5053).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203