Apache Log4j was revealed to have a deserialization vulnerability (CVE-2017-5645). An attacker can trigger and run a constructed payload code by sending a specially constructed binary payload when the component deserializes bytes into an object. This poses a risk of data leakage.
See the following for more information about the vulnerability.
Apache Log4j deserialization vulnerability
An attacker can trigger and run a constructed payload code by sending a specially constructed binary payload when the component deserializes bytes into an object. The vulnerability is because the receiver function does not filter the input from unreliable sources when processing ObjectInputStream.
Therefore, the vulnerability can be fixed by adding configurable filtering and related settings to TcpSocketServer and UdpSocketServer.
Condition and method of exploitation
Apache Log4j 2.0-alpha1 – Apache Log4j 2.8.1
Unaffected versions: Apache Log4j 2.8.2
Check whether any affected version of Apache Log4j is used.
How to fix or mitigate
If you are using Java 7+, upgrade to version 2.8.2 immediately, or do not use socket server related classes. See this reference link.
If you are using Java 6, do not use TCP or UDP socket server related classes, or manually add the version 2.8.2 update code.
We recommend that you upgrade to the latest version 2.9 immediately.