log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in TcpSocketServer and UdpSocketServer when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget.
CVE
2019-17571
CVSS score
7.5
Vulnerability present in version/s
1.1.3-1.2.17
Found library version/s
1.2.17
Vulnerability fixed in version
Library latest version
1.2.17
Fix
log4j:log4j 1.x is out of life. We recommend users to upgrade to the latest version of org.apache.logging.log4j:log4j-core
Veracode Software Composition Analysis
TcpSocketServer
andUdpSocketServer
when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget.Links: