CVE-2019-17571

Name of the Vulnerable Software and Affected Versions Log4j versions 1.2 up to 1.2.17

Description The issue is related to the deserialization of untrusted data in the SocketServer class of Log4j 1.2, which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget. This can occur when listening to untrusted network traffic for log data. According to the director of CISA, Log4j vulnerabilities will be used for invasions in the future. It is mentioned that 32 applications from the German software manufacturer SAP used the vulnerable Apache Log4j library, and SAP was only able to fix some of them by releasing the first set of security updates in 2022.

Recommendations To resolve the issue, migrate to org.apache.logging.log4j:log4j-core. As a temporary workaround, consider disabling the SocketServer class until a patch is available. Restrict access to the vulnerable Log4j library to minimize the risk of exploitation. Avoid using the vulnerable SocketServer class in the affected Log4j versions until the issue is resolved.