apache log4j CVE-2019-17571 vulnerability in Apache and Other Products
Published on December 20, 2019

product logo product logo product logo product logo product logo product logo
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.


Vulnerability Analysis

CVE-2019-17571 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2019-17571 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.

Products Associated with CVE-2019-17571

You can be notified by stack.watch whenever vulnerabilities like CVE-2019-17571 are published in these products:


What versions are vulnerable to CVE-2019-17571?