Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability

BID:97702

CVE-2017-5645 |

Info

Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability

Bugtraq ID: 97702
Class: Input Validation Error
CVE: CVE-2017-5645
Remote: Yes
Local: No
Published: Apr 17 2017 12:00AM
Updated: Jul 17 2019 07:00AM
Credit: Marcio Almeida de Macedo of Red Team at Telstra.
Vulnerable: Redhat JBoss Web Server 3.1 for RHEL 7
Redhat JBoss Web Server 3.1 for RHEL 6
Redhat Enterprise Linux Workstation Optional 7
Redhat Enterprise Linux Workstation 7
Redhat Enterprise Linux Workstation 6
Redhat Enterprise Linux Server Optional 7
Redhat Enterprise Linux Server EUS 7.3
Redhat Enterprise Linux Server 7
Redhat Enterprise Linux Server 6
Redhat Enterprise Linux ComputeNode Optional 7
Redhat Enterprise Linux ComputeNode 7
Redhat Enterprise Linux Client Optional 7
Redhat Enterprise Linux 7 Client
Oracle Weblogic Server 10.3.6 0
Oracle Weblogic Server 12.2.1.3
Oracle Weblogic Server 12.2.1.2
Oracle Weblogic Server 12.1.3.0
Oracle WebCenter Portal 12.2.1.3.0
Oracle WebCenter Portal 12.2.1.2.0
Oracle Utilities Framework 4.3
Oracle Utilities Framework 4.2
Oracle Utilities Framework 2.2
Oracle Utilities Advanced Spatial and Operational Analytics 2.7.0.1
Oracle Transportation Management 6.4.2
Oracle Transportation Management 6.4.1
Oracle Transportation Management 6.3.5
Oracle Transportation Management 6.3.4
Oracle Transportation Management 6.3.3
Oracle Transportation Management 6.3.2
Oracle Transportation Management 6.3.1
Oracle Transportation Management 6.2.11
Oracle Transportation Management 6.3.7
Oracle Transportation Management 6.3.6
Oracle Tape Library ACSLS 8.4
Oracle SOA Suite 12.2.1.3.0
Oracle SOA Suite 12.1.3.0.0
Oracle Siebel UI Framework 18.9
Oracle Siebel UI Framework 18.8
Oracle Siebel UI Framework 18.7
Oracle Secure Global Desktop 5.3
Oracle Retail Xstore Point of Service 15.0.1
Oracle Retail Xstore Point of Service 7.1.6
Oracle Retail Xstore Point of Service 7.0.6
Oracle Retail Xstore Point of Service 6.0.11
Oracle Retail Workforce Management 1.64
Oracle Retail Workforce Management 1.60.7
Oracle Retail Store Inventory Management 16.0.1
Oracle Retail Store Inventory Management 15.0.2
Oracle Retail Store Inventory Management 14.1.3
Oracle Retail Store Inventory Management 14.0.4
Oracle Retail Store Inventory Management 13.2.9
Oracle Retail Store Inventory Management 13.1.9
Oracle Retail Store Inventory Management 13.0.7
Oracle Retail Store Inventory Management 12.0.12
Oracle Retail Returns Management 14.1.3
Oracle Retail Returns Management 14.0.4
Oracle Retail Returns Management 2.4.9
Oracle Retail Returns Management 2.3.8
Oracle Retail Price Management 16.0
Oracle Retail Price Management 15.0
Oracle Retail Price Management 14.1
Oracle Retail Price Management 14.0
Oracle Retail Price Management 13.2
Oracle Retail Price Management 13.1
Oracle Retail Price Management 13.0
Oracle Retail Price Management 12.0
Oracle Retail Point-of-Service 14.1.3
Oracle Retail Point-of-Service 14.0.4
Oracle Retail Order Management System 5.0
Oracle Retail Order Management System 4.7
Oracle Retail Order Management System 4.5
Oracle Retail Order Management System 4.0
Oracle Retail Order Broker 5.2
Oracle Retail Order Broker 5.1
Oracle Retail Order Broker 16.0
Oracle Retail Order Broker 15.0
Oracle Retail Open Commerce Platform 6.0.1
Oracle Retail Open Commerce Platform 6.0
Oracle Retail Open Commerce Platform 5.3
Oracle Retail Invoice Matching 16.0
Oracle Retail Invoice Matching 15.0
Oracle Retail Invoice Matching 14.1
Oracle Retail Invoice Matching 14.0
Oracle Retail Invoice Matching 13.2
Oracle Retail Invoice Matching 13.1
Oracle Retail Invoice Matching 13.0
Oracle Retail Invoice Matching 12.0
Oracle Retail Invoice Matching 11.0
Oracle Retail Invoice Matching 10.2
Oracle Retail Insights 16.0
Oracle Retail Insights 15.0
Oracle Retail Insights 14.1
Oracle Retail Insights 14.0
Oracle Retail Fiscal Management 14.1
Oracle Retail Extract Transform and Load 13.2
Oracle Retail Extract Transform and Load 13.1
Oracle Retail Extract Transform and Load 13.0
Oracle Retail EFTLink 16.0.3
Oracle Retail EFTLink 15.0.2
Oracle Retail Customer Management and Segmentation Foundation 16.0
Oracle Retail Customer Management and Segmentation Foundation 15.0
Oracle Retail Customer Management and Segmentation Foundation 11.4
Oracle Retail Customer Management and Segmentation Foundation 10.8
Oracle Retail Convenience and Fuel POS 2.1.132
Oracle Retail Central Office 14.1.3
Oracle Retail Central Office 14.0.4
Oracle Retail Back Office 14.1.3
Oracle Retail Back Office 14.0.4
Oracle Retail Assortment Planning 16.0.1
Oracle Retail Assortment Planning 15.0.3
Oracle Retail Assortment Planning 14.1.3
Oracle Retail Advanced Inventory Planning 15.0
Oracle Retail Advanced Inventory Planning 14.1
Oracle Retail Advanced Inventory Planning 13.4
Oracle Retail Advanced Inventory Planning 13.2
Oracle PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil 9.1
Oracle PeopleSoft Enterprise FIN Supply Chain Portal Pack Argentina 9.1
Oracle MICROS Retail XBRi Loss Prevention 10.8.1
Oracle MICROS Retail XBRi Loss Prevention 10.8
Oracle MICROS Retail XBRi Loss Prevention 10.7
Oracle MICROS Retail XBRi Loss Prevention 10.6
Oracle MICROS Retail XBRi Loss Prevention 10.5
Oracle MICROS Retail XBRi Loss Prevention 10.0.1
Oracle MICROS Lucas 2.9.5
Oracle Managed File Transfer 12.2.1.3.0
Oracle Managed File Transfer 12.2.1.2.0
Oracle Managed File Transfer 12.1.3.0.0
Oracle JDeveloper 12.2.1.0.0
Oracle JDeveloper 12.1.3.0.0
Oracle JDeveloper 11.1.1.9.0
Oracle JD Edwards World Security A9.4
Oracle JD Edwards World Security A9.3
Oracle JD Edwards World Security A9.2
Oracle JD Edwards EnterpriseOne Tools 9.2
Oracle Insurance Rules Palette 11.1
Oracle Insurance Rules Palette 11.0
Oracle Insurance Rules Palette 10.2.0
Oracle Insurance Rules Palette 10.1
Oracle Insurance Rules Palette 10.0
Oracle Insurance Calculation Engine 10.2.1
Oracle Insurance Calculation Engine 10.1.1
Oracle Identity Management Suite 12.2.1.3.0
Oracle Identity Management Suite 11.1.2.3.0
Oracle Identity Analytics 11.1.1.5.8
Oracle GoldenGate Application Adapters 12.3.2.1.1
Oracle FLEXCUBE Private Banking 12.0
Oracle FLEXCUBE Private Banking 2.1
Oracle FLEXCUBE Investor Servicing 14.0
Oracle FLEXCUBE Investor Servicing 12.4
Oracle FLEXCUBE Investor Servicing 12.3
Oracle FLEXCUBE Investor Servicing 12.1
Oracle FLEXCUBE Investor Servicing 12.0.4
Oracle FLEXCUBE Core Banking 11.7
Oracle FLEXCUBE Core Banking 11.6
Oracle FLEXCUBE Core Banking 11.5
Oracle Enterprise Repository 12.1.3.0.0
Oracle Enterprise Repository 11.1.1.7.0
Oracle Enterprise Manager Ops Center 12.3.2
Oracle Enterprise Manager Ops Center 12.2.2
Oracle Enterprise Linux 7
Oracle Endeca Server 7.7
Oracle Endeca Information Discovery Integrator 3.2
Oracle Endeca Information Discovery Integrator 3.1
Oracle Configuration Manager 12.1.2.0.5
Oracle Configuration Manager 12.1.2.0.2
Oracle Communications WebRTC Session Controller 7.1
Oracle Communications WebRTC Session Controller 7.0
Oracle Communications Unified Inventory Management 7.3
Oracle Communications Unified Inventory Management 7.1
Oracle Communications Unified Inventory Management 7.0
Oracle Communications Services Gatekeeper 6.0
Oracle Communications Services Gatekeeper 5.1
Oracle Communications Service Broker 6.0
Oracle Communications Pricing Design Center 12.0
Oracle Communications Pricing Design Center 11.1
Oracle Communications Online Mediation Controller 6.1
Oracle Communications Network Intelligence 7.3
Oracle Communications Network Charging and Control 6.0
Oracle Communications Messaging Server 8.0.1.1.0
Oracle Communications Messaging Server 8.0
Oracle Communications Messaging Server 7.0
Oracle Communications Messaging Server 6.3
Oracle Communications Messaging Server 3.0
Oracle Communications Interactive Session Recorder 6.2
Oracle Communications Interactive Session Recorder 6.1
Oracle Communications Interactive Session Recorder 6.0
Oracle Communications Convergent Charging Controller 6.0
Oracle Communications Converged Application Server - Service Controller 6.1
Oracle Communications BRM - Elastic Charging Engine 7.5
Oracle Business Intelligence Data Warehouse Administration Console 11.1.1.6.4
Oracle Big Data Discovery 1.6
Oracle BI Publisher 12.2.1.4.0
Oracle BI Publisher 12.2.1.3.0
Oracle BI Publisher 11.1.1.9.0
Oracle BI Publisher 11.1.1.7.0
Oracle Autovue for Agile Product Lifecycle Management 21.0.1
Oracle Autovue for Agile Product Lifecycle Management 21.0
Oracle Application Testing Suite 13.2.0.1
Oracle Application Testing Suite 13.1.0.1
Oracle Application Testing Suite 12.5.0.3
Oracle API Gateway 11.1.2.4.0
Oracle Agile PLM MCAD Connector 3.6
Oracle Agile PLM MCAD Connector 3.5
Oracle Agile PLM MCAD Connector 3.4
Oracle Agile PLM MCAD Connector 3.3
Oracle Agile PLM 9.3.5
Oracle Agile PLM 9.3.3
Oracle Agile PLM 9.3.6
Oracle Agile PLM 9.3.4
Oracle Agile Material and Equipment Management for Pharmaceuticals 9.3.4
Oracle Agile Material and Equipment Management for Pharmaceuticals 9.3.3
Oracle Agile Engineering Data Management 6.2.1
Oracle Agile Engineering Data Management 6.2
Oracle Agile Engineering Data Management 6.1.3
Apache Log4j 2.8.1
Apache Log4j 2.6.2
Apache Log4j 2.6.1
Apache Log4j 2.4.1
Apache Log4j 2.0.2
Apache Log4j 2.0.1
Apache Log4j 2.8
Apache Log4j 2.7
Apache Log4j 2.6
Apache Log4j 2.5
Apache Log4j 2.4
Apache Log4j 2.3
Apache Log4j 2.2
Apache Log4j 2.1
Apache Log4j 2.0-alpha1
Apache Log4j 2.0 RC2
Apache Log4j 2.0 RC1
Apache Log4j 2.0 beta9
Apache Log4j 2.0 beta8
Apache Log4j 2.0 beta7
Apache Log4j 2.0 beta6
Apache Log4j 2.0 beta5
Apache Log4j 2.0 Beta4
Apache Log4j 2.0 beta3
Apache Log4j 2.0 Beta2
Apache Log4j 2.0 Beta1
Apache Log4j 2.0 alpha2
Not Vulnerable: Oracle Communications WebRTC Session Controller 7.2
Oracle Communications Messaging Server 8.0.2
Apache Log4j 2.8.2

Discussion

Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability

Apache Log4j is prone to remote code-execution vulnerability.

Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions.

Apache Log4j 2.0-alpha1 through 2.8.1 are vulnerable.

Exploit / POC

Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

© CVE.report 2023 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report