CVE: 2019-17571 found in Apache Log4j - Version: 1.2.17 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Apache Log4j
Description	Apache Log4j 1.2
Language	JAVA
Vulnerability	Arbitrary Code Execution
Vulnerability description	log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in TcpSocketServer and UdpSocketServer when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget.
CVE	2019-17571
CVSS score	7.5
Vulnerability present in version/s	1.1.3-1.2.17
Found library version/s	1.2.17
Vulnerability fixed in version
Library latest version	1.2.17
Fix	log4j:log4j 1.x is out of life. We recommend users to upgrade to the latest version of org.apache.logging.log4j:log4j-core

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/163?version=1.2.17
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/22224
• Patch:

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/2

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/43

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/63

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/64

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/65

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/67

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/68

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/69

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/70