CVE-2019-17571 @ Maven-log4j:log4j-1.2.17

Question

CVE-2019-17571 @ Maven-log4j:log4j-1.2.17

Closed this issue 7 months ago · 0 comments

cristovaoolegario commented 7 months ago

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2019-17571
Checkmarx Project: cristovaoolegario/astlab
Repository URL: https://github.com/cristovaoolegario/astlab
Branch: main
Scan ID: 8cc945ef-b0c3-4912-86b2-4501b97b201d

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.

NOTE: log4j:log4j 1.2 is end-of-life since 2015 and will not be fixed. To mitigate this, users are advised to migrate to org.apache.logging.log4j:log4j-core 2.8.2 or above.

Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: HIGH
Availability impact: HIGH