CVE-2019-17571

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-17571
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17571.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-17571
Aliases
Related
Published
2019-12-20T17:15:11Z
Modified
2024-09-18T03:03:55.759617Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

References

Affected packages

Debian:11 / apache-log4j1.2

Package

Name
apache-log4j1.2
Purl
pkg:deb/debian/apache-log4j1.2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.17-9

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / apache-log4j1.2

Package

Name
apache-log4j1.2
Purl
pkg:deb/debian/apache-log4j1.2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.17-9

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / apache-log4j1.2

Package

Name
apache-log4j1.2
Purl
pkg:deb/debian/apache-log4j1.2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.17-9

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/apache/bookkeeper

Affected ranges

Type
GIT
Repo
https://github.com/apache/bookkeeper
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
32f9cd7d5ce73cc0f29c7e66ce5adc0e6640d222

Affected versions

release-4.*

release-4.14.0
release-4.14.1
release-4.14.2