edit-icon download-icon

[Vulnerability notice] CVE-2017-5645: Deserialization vulnerability in Apache Log4j

Last Updated: Apr 08, 2018

Apache Log4j was revealed to have a deserialization vulnerability (CVE-2017-5645). An attacker can trigger and run a constructed payload code by sending a specially constructed binary payload when the component deserializes bytes into an object. This poses a risk of data leakage.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-5645

Vulnerability name

Apache Log4j deserialization vulnerability

Vulnerability description

An attacker can trigger and run a constructed payload code by sending a specially constructed binary payload when the component deserializes bytes into an object. The vulnerability is because the receiver function does not filter the input from unreliable sources when processing ObjectInputStream.

Therefore, the vulnerability can be fixed by adding configurable filtering and related settings to TcpSocketServer and UdpSocketServer.

Condition and method of exploitation

Remote exploitation

Affected scope

  • Apache Log4j 2.0-alpha1 – Apache Log4j 2.8.1

  • Unaffected versions: Apache Log4j 2.8.2

Vulnerability detection

Check whether any affected version of Apache Log4j is used.

How to fix or mitigate

  • If you are using Java 7+, upgrade to version 2.8.2 immediately, or do not use socket server related classes. See this reference link.

  • If you are using Java 6, do not use TCP or UDP socket server related classes, or manually add the version 2.8.2 update code.

  • We recommend that you upgrade to the latest version 2.9 immediately.

Reference

[1]. http://cve.mitre.org/cgi-bin/cvename.cgi?name=%09CVE-2017-5645
[2]. https://issues.apache.org/jira/browse/LOG4J2-1863
[3]. http://seclists.org/oss-sec/2017/q2/78

Thank you! We've received your feedback.