CVE-2023-26464

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Apache Log4j versions prior to 2

Description The issue is related to the Chainsaw and SocketAppender components in Log4j 1.x when used with JRE less than 1.7. An attacker can cause a logging entry involving a specially-crafted hashmap or hashtable to be processed, potentially exhausting the available memory in the virtual machine and achieving Denial of Service when the object is deserialized.

Recommendations Update to Log4j 2.x to resolve the issue. As a temporary workaround, consider restricting the use of the Chainsaw and SocketAppender components until a patch is available. Avoid using deeply nested hashmaps or hashtables in logging entries to minimize the risk of exploitation.

Fix

DoS

Resource Exhaustion

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-502

Related Identifiers

BDU:2023-07207

CVE-2023-26464

GHSA-VP98-W2P3-MV35

RHSA-2023:3663

RHSA-2023:5484

RHSA-2023:5485

RHSA-2023:5486

RHSA-2024:10207

RHSA-2024:10208

ROSA-SA-2024-2519

Affected Products

Jre

Log4J

CVE-2023-26464

Weakness Enumeration

Related Identifiers

Affected Products

References · 19