Description

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Mitigation

Starting with version(s) 2.x, `log4j:log4j` was relocated to `org.apache.logging.log4j:log4j-core`. A variation of this vulnerability exists in `org.apache.logging.log4j:log4j-core` as CVE-2017-5645, in versions up to but excluding 2.8.2. Therefore, it is recommended to upgrade to `org.apache.logging.log4j:log4j-core` version(s) 2.8.2 and above. For `log4j:log4j` 1.x versions however, a fix does not exist.

*NOTE:*
> Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2.x which both addresses that vulnerability as well as numerous other issues in the previous versions.

Reference: [https://logging.apache.org/log4j/1.2/](https://logging.apache.org/log4j/1.2/)

Related links:

• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571

• https://issues.apache.org/jira/browse/LOG4J2-1863

• https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E

• https://bugzilla.redhat.com/show_bug.cgi?id=1785616