QID 980278

QID 980278: Java (maven) Security Update for org.apache.logging.log4j:log4j-core (GHSA-fxph-q3j8-mv87)

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Successful exploitation of this vulnerability may affect the confidentiality, integrity, and availability of the targeted user.

  • CVSS V3 rated as Critical - 9.8 severity.
  • CVSS V2 rated as High - 7.5 severity.
  • Solution
    Customers are advised to refer to GHSA-fxph-q3j8-mv87 for updates pertaining to this vulnerability.
    Vendor References

    CVEs related to QID 980278

    Software Advisories
    Advisory ID Software Component Link
    GHSA-fxph-q3j8-mv87 org.apache.logging.log4j:log4j URL Logo github.com/advisories/GHSA-fxph-q3j8-mv87
    GHSA-fxph-q3j8-mv87 org.apache.logging.log4j:log4j-core URL Logo github.com/advisories/GHSA-fxph-q3j8-mv87