CVE-2019-17571

Published Dec 20, 2019

Last updated a year ago

CVSS critical 9.8

Overview

Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Source: security@apache.org
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

CVSS 2.0

Type: Primary
Base score: 7.5
Impact score: 6.4
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-502
security@apache.org: CWE-502

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "362179E0-FF81-4DED-B456-552615222A8C",
            "versionEndIncluding": "1.2.17"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"
          },
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"
          },
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B9273745-6408-4CD3-94E8-9385D4F5FE69",
            "versionEndIncluding": "3.1.3",
            "versionStartIncluding": "3.0"
          },
          {
            "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A125E817-F974-4509-872C-B71933F42AD1"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "ABD748C9-24F6-4739-9772-208B98616EE2",
            "versionEndIncluding": "7.3.6",
            "versionStartIncluding": "7.3.2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9D03A8C9-35A5-4B75-9711-7A4A60457307"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2959030B-A9B7-4423-A2E8-9352FC83C4A2",
            "versionEndIncluding": "14.8.0",
            "versionStartIncluding": "14.1.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:financial_services_lending_and_leasing:12.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "317CA916-61F3-4E24-B42F-610A1C88A5BA"
          },
          {
            "criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B0EBAC6D-D0CE-42A1-AEA0-2D50C8035747",
            "versionEndIncluding": "8.0.29"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1CB8F81A-D028-4258-9A4F-ADEE25BE95FC",
            "versionEndIncluding": "16.2.11",
            "versionStartIncluding": "16.2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E4AA3854-C9FD-4287-85A0-EE7907D1E1ED",
            "versionEndIncluding": "17.12.7",
            "versionStartIncluding": "17.12.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "19A0F1AF-F2E6-44E7-8E2D-190E103B72D3"
          },
          {
            "criteria": "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6D53690D-3390-4A27-988A-709CD89DD05B"
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_extract_transform_and_load:19.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4E306B67-E1BD-4A67-A77D-A7DC72D5B957"
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "378A6656-252B-4929-83EA-BC107FDFD357"
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "363395FA-C296-4B2B-9D6F-BCB8DBE6FACE"
          },
          {
            "criteria": "cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F62A2144-5EF8-4319-B8C2-D7975F51E5FA"
          },
          {
            "criteria": "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B40B13B7-68B3-4510-968C-6A730EB46462"
          },
          {
            "criteria": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C93CC705-1F8C-4870-99E6-14BF264C3811"
          },
          {
            "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66"
          },
          {
            "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418"
          },
          {
            "criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:bookkeeper:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8AF2C94A-428B-47AF-B0A5-09EFB109941C",
            "versionEndExcluding": "4.14.3"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References