CVE-2019-17571
20.12.2019, 17:15
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.Enginsight
| Vendor | Product | Version |
|---|---|---|
| apache | log4j | 𝑥 ≤ 1.2.17 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 10.0 |
| canonical | ubuntu_linux | 18.04 |
| opensuse | leap | 15.1 |
| netapp | oncommand_system_manager | 3.0 ≤ 𝑥 ≤ 3.1.3 |
| netapp | oncommand_workflow_automation | - |
| oracle | application_testing_suite | 13.3.0.1 |
| oracle | communications_network_integrity | 7.3.2 ≤ 𝑥 ≤ 7.3.6 |
| oracle | endeca_information_discovery_studio | 3.2.0 |
| oracle | financial_services_lending_and_leasing | 14.1.0 ≤ 𝑥 ≤ 14.8.0 |
| oracle | financial_services_lending_and_leasing | 12.5.0 |
| oracle | mysql_enterprise_monitor | 𝑥 ≤ 8.0.29 |
| oracle | primavera_gateway | 16.2 ≤ 𝑥 ≤ 16.2.11 |
| oracle | primavera_gateway | 17.12.0 ≤ 𝑥 ≤ 17.12.7 |
| oracle | rapid_planning | 12.1 |
| oracle | rapid_planning | 12.2 |
| oracle | retail_extract_transform_and_load | 19.0 |
| oracle | retail_service_backbone | 14.1 |
| oracle | retail_service_backbone | 15.0 |
| oracle | retail_service_backbone | 16.0 |
| oracle | weblogic_server | 10.3.6.0.0 |
| oracle | weblogic_server | 12.1.3.0.0 |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | weblogic_server | 14.1.1.0.0 |
| apache | bookkeeper | 𝑥 < 4.14.3 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| apache-log4j1.2 |
|
Common Weakness Enumeration
References