CVE-2019-17571

Published on: 12/20/2019 12:00:00 AM UTC

Last Modified on: 12/14/2022 05:50:00 PM UTC

CVE-2019-17571

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Bookkeeper from Apache contain the following vulnerability:

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVE-2019-17571 has been assigned by secu[email protected] to track the vulnerability - currently rated as CRITICAL severity.
Affected Vendor/Software: Apache Software Foundation - Log4j version versions up to 1.2.17

CVSS3 Score: 9.8 - CRITICAL

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	NONE	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	HIGH	HIGH

CVSS2 Score: 7.5 - HIGH

Access Vector^ⓘ	Access Complexity	Authentication
NETWORK	LOW	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
PARTIAL	PARTIAL	PARTIAL

CVE References

Description	Tags ^ⓘ	Link
Pony Mail!	lists.apache.org text/html	MLIST [kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
Pony Mail!	lists.apache.org text/html	MLIST [kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571
Pony Mail!	lists.apache.org text/html	MLIST [kafka-users] 20210617 vulnerabilities
Pony Mail!	lists.apache.org text/html	MLIST [kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20200228 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-jira] 20200625 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571
Pony Mail!	Mailing List Patch Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-commits] 20200504 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [hadoop-common-issues] 20200824 [jira] [Created] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-jira] 20200514 [GitHub] [kafka] jeffhuang26 commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-dev] 20201103 [jira] [Created] (ZOOKEEPER-3990) Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-jira] 20200624 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-jira] 20200105 [jira] [Updated] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571
Pony Mail!	Mailing List Patch Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-issues] 20200118 [jira] [Resolved] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-issues] 20211017 [GitHub] [bookkeeper] eolivelli commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-issues] 20211007 [GitHub] [bookkeeper] RaulGracia commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [hadoop-common-issues] 20200824 [jira] [Commented] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-jira] 20200105 [jira] [Created] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571
Oracle Critical Patch Update Advisory - July 2020	Third Party Advisory www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpujul2020.html
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-jira] 20200106 [jira] [Commented] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571
Oracle Critical Patch Update Advisory - April 2022	www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpuapr2022.html
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [hadoop-common-dev] 20200824 [jira] [Created] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-issues] 20211006 [GitHub] [bookkeeper] eolivelli commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list
[security-announce] openSUSE-SU-2020:0051-1: important: Security update	Mailing List Third Party Advisory lists.opensuse.org text/html	SUSE openSUSE-SU-2020:0051
Pony Mail!	Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-dev] 20200107 [jira] [Created] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-issues] 20201103 [jira] [Resolved] (ZOOKEEPER-3990) Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-issues] 20200108 [jira] [Assigned] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-jira] 20200106 [jira] [Assigned] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [hadoop-common-issues] 20200824 [jira] [Assigned] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
Pony Mail!	lists.apache.org text/html	MLIST [portals-pluto-dev] 20210629 [jira] [Updated] (PLUTO-787) Migrate from Log4J and SLF4J dependencies due to CVE-2019-17571
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-issues] 20211006 [GitHub] [bookkeeper] RaulGracia opened a new pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-notifications] 20200118 [GitHub] [zookeeper] asfgit closed pull request #1209: ZOOKEEPER-3677 owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-issues] 20200108 [jira] [Updated] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-issues] 20211007 [GitHub] [bookkeeper] RaulGracia commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-issues] 20200129 [jira] [Updated] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-issues] 20211017 [GitHub] [bookkeeper] zymap commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571
Pony Mail!	lists.apache.org text/html	MLIST [kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-jira] 20210211 [GitHub] [kafka] ch4rl353y commented on pull request #7898: KAFKA-9366: Change log4j dependency into log4j2
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-users] 20210210 Security: CVE-2019-17571 (log4j)
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20200730 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571
Pony Mail!	lists.apache.org text/html	MLIST [activemq-users] 20210830 Security issues
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]
Pony Mail!	Mailing List Patch Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Debian -- Security Information -- DSA-4686-1 apache-log4j1.2	Third Party Advisory www.debian.org Depreciated Link text/html	DEBIAN DSA-4686
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-issues] 20200107 [jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-issues] 20211013 [GitHub] [bookkeeper] eolivelli commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-user] 20200201 Re: Zookeeper 3.5.6 supports log4j 2.x?
Pony Mail!	lists.apache.org text/html	MLIST [tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2534) Log4j flagged as critical security violation
Pony Mail!	Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
Pony Mail!	lists.apache.org text/html	MLIST [portals-pluto-dev] 20210629 [jira] [Updated] (PLUTO-787) Migrate from Log4j 1.x to Log4j 2.x due to CVE-2019-17571
Pony Mail!	lists.apache.org text/html	MLIST [portals-pluto-scm] 20210629 [portals-pluto] branch master updated: PLUTO-787 Migrate from Log4j 1.x to Log4j 2.x due to CVE-2019-17571
USN-4495-1: Apache Log4j vulnerability \| Ubuntu security notices \| Ubuntu	Mailing List Vendor Advisory usn.ubuntu.com text/html	UBUNTU USN-4495-1
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-jira] 20200602 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571
[SECURITY] [DLA 2065-1] apache-log4j1.2 security update	Mailing List Third Party Advisory lists.debian.org text/html	MLIST [debian-lts-announce] 20200112 [SECURITY] [DLA 2065-1] apache-log4j1.2 security update
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20200228 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	CONFIRM lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E
Pony Mail!	lists.apache.org text/html	MLIST [activemq-users] 20210831 RE: Security issues
Pony Mail!	lists.apache.org text/html	MLIST [activemq-users] 20210427 Re: Release date for ActiveMQ v5.16.2 to fix CVEs
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [druid-commits] 20200406 [GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger Authorization
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20200228 [jira] [Resolved] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-jira] 20200107 [jira] [Updated] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-issues] 20211007 [GitHub] [bookkeeper] eolivelli commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-issues] 20200107 [jira] [Created] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-jira] 20200529 [GitHub] [kafka] ijuma commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-issues] 20211006 [GitHub] [bookkeeper] RaulGracia opened a new issue #2815: Upgrade to log4j2 to get rid of CVE-2019-17571
Pony Mail!	Mailing List Patch Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-commits] 20200504 [zookeeper] branch master updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-dev] 20200118 Build failed in Jenkins: zookeeper-master-maven-owasp #329
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [hadoop-common-issues] 20200824 [jira] [Comment Edited] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)
Pony Mail!	Mailing List Patch Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-commits] 20200504 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488
Pony Mail!	Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-notifications] 20200108 [GitHub] [zookeeper] eolivelli opened a new pull request #1209: ZOOKEEPER-3677 owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Pony Mail!	lists.apache.org text/html	MLIST [hadoop-common-issues] 20211006 [jira] [Commented] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)
Oracle Critical Patch Update Advisory - April 2020	Third Party Advisory www.oracle.com text/html	N/A N/A
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [logging-log4j-user] 20200224 Apache Log4j - Migration activity to 2.12.1 version - Request to support for the queries posted
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-issues] 20211016 [GitHub] [bookkeeper] pkumar-singh commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571
Pony Mail!	lists.apache.org text/html	MLIST [activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [hadoop-common-issues] 20200824 [jira] [Comment Edited] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Adress: CVE-2019-17571)
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-issues] 20211018 [GitHub] [bookkeeper] RaulGracia commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20200208 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571
Pony Mail!	lists.apache.org text/html	MLIST [kafka-dev] 20210611 Re: [DISCUSS] KIP-719: Add Log4J2 Appender
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-issues] 20201103 [jira] [Created] (ZOOKEEPER-3990) Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-issues] 20200108 [jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
CVE-2019-17571 Apache Log4j Vulnerability in NetApp Products \| NetApp Product Security	Third Party Advisory security.netapp.com text/html	CONFIRM security.netapp.com/advisory/ntap-20200110-0001/
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [jena-dev] 20200318 Re: Logging (JENA-1005)
Pony Mail!	lists.apache.org text/html	MLIST [portals-pluto-dev] 20210629 [jira] [Closed] (PLUTO-787) Migrate from Log4j 1.x to Log4j 2.x due to CVE-2019-17571
Pony Mail!	Mailing List Patch Vendor Advisory lists.apache.org text/html	MLIST [zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Oracle Critical Patch Update Advisory - July 2022	www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - April 2021	www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpuApr2021.html
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Adress: CVE-2019-17571)
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]
Pony Mail!	lists.apache.org text/html	MLIST [bookkeeper-commits] 20211014 [bookkeeper] branch master updated: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571 (#2816)
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [hadoop-common-issues] 20200824 [jira] [Commented] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571
Pony Mail!	Mailing List Vendor Advisory lists.apache.org text/html	MLIST [kafka-dev] 20200105 [jira] [Created] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

199275 Ubuntu Security Notification for Apache Log4j Vulnerabilities (USN-5998-1)
353112 Amazon Linux Security Advisory for log4j : ALAS-2022-1562
372577 IBM Spectrum Control (Tivoli Storage Productivity Center) Apache Log4j vulnerability (1488939)
980407 Java (maven) Security Update for log4j:log4j (GHSA-2qrg-x229-3v8q)

Exploit/POC from Github

Environment for CVE_2019_17571

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Bookkeeper	All	All	All	All
Application	Apache	Log4j	All	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Netapp	Oncommand System Manager	All	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Application	Oracle	Application Testing Suite	13.3.0.1	All	All	All
Application	Oracle	Application Testing Suite	13.3.0.1	All	All	All
Application	Oracle	Communications Network Integrity	All	All	All	All
Application	Oracle	Endeca Information Discovery Studio	3.2.0	All	All	All
Application	Oracle	Endeca Information Discovery Studio	3.2.0	All	All	All
Application	Oracle	Financial Services Lending And Leasing	12.5.0	All	All	All
Application	Oracle	Financial Services Lending And Leasing	12.5.0	All	All	All
Application	Oracle	Financial Services Lending And Leasing	All	All	All	All
Application	Oracle	Mysql Enterprise Monitor	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Rapid Planning	12.1	All	All	All
Application	Oracle	Rapid Planning	12.2	All	All	All
Application	Oracle	Rapid Planning	12.1	All	All	All
Application	Oracle	Rapid Planning	12.2	All	All	All
Application	Oracle	Retail Extract Transform And Load	19.0	All	All	All
Application	Oracle	Retail Extract Transform And Load	19.0	All	All	All
Application	Oracle	Retail Service Backbone	14.1	All	All	All
Application	Oracle	Retail Service Backbone	15.0	All	All	All
Application	Oracle	Retail Service Backbone	16.0	All	All	All
Application	Oracle	Retail Service Backbone	14.1	All	All	All
Application	Oracle	Retail Service Backbone	15.0	All	All	All
Application	Oracle	Retail Service Backbone	16.0	All	All	All
Application	Oracle	Weblogic Server	10.3.6.0.0	All	All	All
Application	Oracle	Weblogic Server	12.1.3.0.0	All	All	All
Application	Oracle	Weblogic Server	12.2.1.3.0	All	All	All
Application	Oracle	Weblogic Server	12.2.1.4.0	All	All	All
Application	Oracle	Weblogic Server	14.1.1.0.0	All	All	All
Application	Oracle	Weblogic Server	10.3.6.0.0	All	All	All
Application	Oracle	Weblogic Server	12.1.3.0.0	All	All	All
Application	Oracle	Weblogic Server	12.2.1.3.0	All	All	All
Application	Oracle	Weblogic Server	12.2.1.4.0	All	All	All
Application	Oracle	Weblogic Server	14.1.1.0.0	All	All	All

cpe:2.3:a:apache:bookkeeper:*:*:*:*:*:*:*:*:
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*:
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*:
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*:
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*:
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*:
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*:
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*:
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:financial_services_lending_and_leasing:12.5.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:financial_services_lending_and_leasing:12.5.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_extract_transform_and_load:19.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_extract_transform_and_load:19.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
@pottrsec	Critical CVE updated: CVE-2019-17571 #SocketServer "Included in Log4j 1.2 is a SocketServer class that is vulnerab… twitter.com/i/web/status/1…	2021-10-14 21:00:00
@GenKa_232	なんでLog4j1.xを気にするのだろう…。もし居るならCVE-2019-17571とか放置されてるから今に始まったことじゃない。いるかもしれない理論はやり切れないね。	2021-12-10 06:12:14
@kazup0n	@_ryskit cvedetails.com/cve/CVE-2019-1… これ	2021-12-10 09:16:14
@kazup0n	log4j 1.2系には別の脆弱性あるのでアップデートしましょう cvedetails.com/cve/CVE-2019-1…	2021-12-10 09:16:56
@_S00pY	@C1ar3nce_ @GossiTheDog It is PoC for cvedetails.com/cve/CVE-2019-1…	2021-12-10 13:05:30
@Darkarnium	@C1ar3nce_ @GossiTheDog Ah @_S00pY mentioned it below! Agreed, it looks to me like an exploit for CVE-2019-17571 :)	2021-12-10 13:35:21
@joe3barrera	@_rglx @di_v_erge 2019	2021-12-10 13:43:22
@mima_ita	log4j1.x系の場合、バージョンアップつらそうだなぁ...と思ったけど、そもそも、別のセキュリティホールがあるので、CVE-2019-17571の時点でlog4j2.xに上がっているはずだし、このリスクを許容しているなら今回も… twitter.com/i/web/status/1…	2021-12-10 14:19:07
@MikeStucka	@jeremybowers @ElectProject Deja vu all over again? ubuntu.com/security/CVE-2…	2021-12-10 15:28:46
@HermanBovens	@CodeBosw8r Welja, die is al meer dan 6 jaar end of life, de vulnerability cvedetails.com/cve/CVE-2019-1… die daar in zit… twitter.com/i/web/status/1…	2021-12-10 17:06:53
@ozuma5119	@pwntester This is CVE-2019-17571. Java安全之log4j反序列化漏洞分析: cnblogs.com/nice0e3/p/1453…	2021-12-10 17:48:17
@stek29	@timinbrum @tjhorner Are you referring to github.com/nice0e3/log4j_…? It might be about CVE-2019-17571, not CVE-2021-44228	2021-12-10 18:11:22
@pwntester	Ok, scratch that it seems that was for CVE-2019-17571 phewww twitter.com/pwntester/stat…	2021-12-10 18:22:47
@NinanReuben		2021-12-10 18:57:06
@xranby	@FiLiS @lattera log4j 1.2 - 1.2.17 users -> cvedetails.com/cve/CVE-2019-1…	2021-12-10 22:11:11
@ZacShaiken	@ceki @WietseWind Ah seems like a different issue I'm looking at: "CVE-2019-17571: For Apache log4j versions from… twitter.com/i/web/status/1…	2021-12-10 23:14:41
@mima_ita	@gokou_kotori ありがとうございます。その場合すでにCVE-2019-17571にひっかかりそうですね。	2021-12-11 01:18:35
@mobiuscog	@brunoborges That is likely related to	2021-12-11 09:14:01
@80vul	No! No! No! The vulnerability in this project is CVE-2019-17571, source: cnblogs.com/nice0e3/p/1453… It is not the curr… twitter.com/i/web/status/1…	2021-12-11 14:40:13
@Har_sia	CVE-2019-17571 har-sia.info/CVE-2019-17571… #HarsiaInfo	2021-12-11 15:01:07
@thiloginkel	@robert_we In letzterem steckt dann CVE-2019-17571 drin ?	2021-12-11 16:42:41
@cveiche	@dinodaizovi very different bug (cve-2019-17571)	2021-12-11 17:42:49
@marcwrogers	@brunoborges Different older log4j vuln. its CVE-2019-17571	2021-12-11 21:57:48
@marcwrogers	Everyone retweeting github.com/nice0e3/log4j_… please note it is an older vuln, CVE-2019-17571 not the current CVE-2021-44228.	2021-12-11 22:00:48
@08ae027a	@ZKP8128 @eastdakota That exploit is for an older vulnerability, CVE-2019-17571: Source: cnblogs.com/nice0e3/p/1453…	2021-12-12 01:04:55
@AndyVic14	@ceki @nipafx @xeraa Thanks Ceki, I have only one remark: Log4J v1 has CVE-2019-17571 that is critical and extremel… twitter.com/i/web/status/1…	2021-12-12 07:52:11
@tbroyer	@hsivonen Wrt Log4j 1.x: cvedetails.com/cve/CVE-2019-1…	2021-12-12 13:21:32
@rahuly26	@AndyVic14 @ceki @nipafx @xeraa Hi Andy, Could you please share, how can we fix Log4J v1 CVE-2019-17571?	2021-12-12 14:20:28
@AndyVic14	@sirsquishy79 @KillSwitchX7 @AlyssaM_InfoSec It seems to me that this POC is related to CVE-2019-17571 that affects Log4J v1.	2021-12-12 15:50:49
@Turowski	is latest #qradar vulnerable to both CVE-2019-17571 and CVE-2021-44228? #log4j #log4shell https://t.co/eLNuSPClH3	2021-12-12 22:06:18
@thesp0nge	If you're using log4j 1.x, and you shouldn't do that, make sure you're not vulnerable to	2021-12-13 09:30:17
@ydroneaud	@follc @zwindler "Version 1 of log4j is vulnerable to other RCE attacks (like CVE-2019-17571), and if you're using… twitter.com/i/web/status/1…	2021-12-13 13:04:44
@ghostlyric	log4j脆弱性問題。週明けの今日、開発担当に確認すると、log4j1.x系なので脆弱性の影響なしとのこと。安堵するとともに、それでいいのかという気持ち。twitter上では、CVE-2019-17571という重大な脆弱性を抱えているとの指摘あり。うーん、どうしますかね。	2021-12-13 13:53:12
@fluepke	@giantwallaby Das ist ein PoC für eine alte unter cvedetails.com/cve/CVE-2019-1… bekannte Schwachstelle.	2021-12-13 16:52:28
@fluepke	@andreasdotorg Auch bekannt als cvedetails.com/cve/CVE-2019-1…	2021-12-13 16:53:34
@fluepke	@da_667 It's an old exploit for an old vulnerability in old software cvedetails.com/cve/CVE-2019-1… This is not related to #Log4Shell	2021-12-13 16:55:27
@CostinCozianu	@shehackspurple cvedetails.com/cve/CVE-2019-1… Unlike the current one where most configs are vulnerable by default, the 1… twitter.com/i/web/status/1…	2021-12-13 16:56:14
@secc_mo	@vavkamil @netbroom This PoC is for CVE-2019-17571 ;)	2021-12-13 19:46:31
@thacybermaniac	@fakesmirkz @ShadowM82 Not the best idea: cvedetails.com/cve/CVE-2019-1…	2021-12-13 20:09:55
@JBPlatform	Mentioned CVE-2019-17571 is not directly related to the CVE-2021-44228 discovered lately, but since we use an older… twitter.com/i/web/status/1…	2021-12-13 21:05:25
@0xC0LIN	.@GreyNoiseIO have you seen any upticks in traffic related to CVE-2019-17571? (RCE present in log4j 1.2-1.2.17)	2021-12-13 21:13:03
@BertieBrink	2019 version 1.2?	2021-12-13 22:51:05
@Mofu_Master	log4j 1.x は比較的影響が少ない、って胸をなでおろしてる人がいたら CVE-2019-17571(CVSS 9.8) github.com/advisories/GHS… こんなのとかもあるから安心するのはまだ早いぜベイベェ… twitter.com/i/web/status/1…	2021-12-14 02:04:01
@sporri	@stridergdm @SQLServer	2021-12-14 15:08:16
@DirkHondong	@fatherjack @sporri @SQLServer Hi Jonathan It is 1.2.17 but as sporry mentioned: Also: it… twitter.com/i/web/status/1…	2021-12-14 15:18:07
@mikeymikey	@zoocoup For example: CVE-2019-17571 is a deserialization attack - one of the nastiest things you can see in Java b… twitter.com/i/web/status/1…	2021-12-14 15:51:00
@RahulGoswami02	@ceki @mdhardeman @thejonmccoy Is this an explanation for CVE-2019-17571 ?() There is limite… twitter.com/i/web/status/1…	2021-12-14 17:32:41
@bvanvelsen	@kpellegr *kuch cvedetails.com/cve/CVE-2019-1…	2021-12-14 18:17:16
@OpenPrunus	@hdjebar Sûr ?	2021-12-14 19:42:03
@Guile44	@bortzmeyer Je n'ai trouvé que celle là qui affecte la v1, CVSS de 7.5 quand même ! cvedetails.com/cve/CVE-2019-1…	2021-12-14 20:31:02
@llehmann_	@cyb3rops @Securityblog @Atlassian So they should be vulnerable to which is rated with 9.8 Critical via CVSS 3	2021-12-15 08:31:19
@SecuriteInfoCom	Paid subscriptions now detect CVE-2019-17571 and CVE-2021-44228 vulnerable files. You can now scan your servers for… twitter.com/i/web/status/1…	2021-12-16 09:16:14
@anthonykava	.@rroobbiinn FMAudit has shipped with #log4j 1.2 (CVE-2019-17571 not #Log4Shell) as part of Spring which doesn't us… twitter.com/i/web/status/1…	2021-12-16 17:53:56
@GitPushAll	@rickhanlonii If you've already been attacked via CVE-2019-17571 you've got the antibodies.	2021-12-16 22:11:00
@hpbaxter	@backbase hello, from what I see backbase 5.9 is not vulnerable to #LOG4J CVE-2021-44228 but what about CVE-2019-17571? thnaks	2021-12-17 08:34:44
@ByQwert	@ov3rflow1 @walter_bhai @fs0c131y CVE-2019-17571	2021-12-17 10:59:51
@KorbenD_Intel	@TheHackersNews CVE-2019-17571 (CVSS score 7.5)	2021-12-18 19:50:36
@lukebailiff	@Dick_Reverse @cyb3rops I think you are not accounting for CVE-2019-17571 in the v1 section of the mind map. It is… twitter.com/i/web/status/1…	2021-12-19 13:23:13
@OpenPrunus	@PykPyky @Keruspe Non.	2021-12-19 20:59:34
@5M7X	@pwntester Did an analysis together with a friend and it is Log4j1.2.16 via CVE-2019-17571. Funny tho the toolkit c… twitter.com/i/web/status/1…	2021-12-19 22:13:34
@fpientka	Interessting discussion about #log4j 1.2.17 EOL move out of incubator or git to fix open cves CVE-2019-17571 CVE-20… twitter.com/i/web/status/1…	2021-12-22 09:08:59
@eingfoan	@Dick_Reverse should we include cvedetails.com/cve/CVE-2019-1… in the chart?	2021-12-22 09:09:15
@fpientka	@grobmeier @TheASF There are still open cves in log4j1 CVE-2019-17571 CVE-2021-4104 and the log4j2 compatibility wrapper is not sufficient	2021-12-22 14:37:38
@thomasmechen	@isotopp cvedetails.com/cve/CVE-2019-1…	2021-12-23 11:30:29
@fpientka	@jbonofre @rmannibucau @TheASF CVE-2021-4104 CVE-2019-17571	2022-01-08 14:29:30
@yamadamn	とっくにEOLとなったLog4j 1.xに影響を与えるCVEを公開したとのこと。 CVE-2019-17571 CVE-2020-9488 CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 C… twitter.com/i/web/status/1…	2022-01-19 11:43:16
/r/qztray	QZTray and log4j (CVE-2019-17571, CVE-2021-44228)	2021-12-14 16:38:16
/r/QRadar	How after this long????????? Due to use of Apache Log4j, IBM QRadar SIEM is affected by arbitrary code execution	2022-10-27 14:25:03