CVE-2017-5645 — Deserialization of Untrusted Data in Log4j

Description

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

How to fix CVE-2017-5645

To remediate CVE-2017-5645, upgrade the affected package to a fixed version below.

Debian/apache-log4j2—upgrade to 2.7-2 or later
—upgrade to 2.8.2 or later
—upgrade to 2.8.2 or later

Is CVE-2017-5645 being exploited?

Likely — EPSS is 93.9%, placing CVE-2017-5645 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

from 0, < 2.7-2
>= 2.0, < 2.8.2
>= 2.0, < 2.8.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (85)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-5645
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-5645
PATCHgithub.com/apache/logging-log4j2
WEBaccess.redhat.com/errata/RHSA-2017:1417
WEB