CVE-2019-17571 (High) detected in log4j-1.2.17.jar #128

mend-for-github-com · 2021-08-11T01:05:10Z

CVE-2019-17571 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to vulnerable library: /tiered-storage/file-system/target/classes/META-INF/bundled-dependencies/log4j-1.2.17.jar

Dependency Hierarchy:

❌ log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571

Release Date: 2019-12-20

Fix Resolution: org.apache.logging.log4j:log4j-core:2.0

Check this box to open an automated fix PR

mend-for-github-com bot added the security vulnerability Security vulnerability detected by WhiteSource label Aug 11, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2019-17571 (High) detected in log4j-1.2.17.jar #128

CVE-2019-17571 (High) detected in log4j-1.2.17.jar #128

mend-for-github-com bot commented Aug 11, 2021

CVE-2019-17571 (High) detected in log4j-1.2.17.jar #128

CVE-2019-17571 (High) detected in log4j-1.2.17.jar #128

Comments

mend-for-github-com bot commented Aug 11, 2021

CVE-2019-17571 - High Severity Vulnerability