Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CVE-2019-17571 (application_testing_suite, communications_network_integrity, debian_linux, endeca_information_discovery_studio, financial_services_lending_and_leasing, leap, log4j, oncommand_system_manager, oncommand_workflow_automation, primavera_gateway, rapid_planning, retail_extract_transform_and_load, retail_service_backbone, ubuntu_linux, weblogic_server)
Leave a reply
