Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability

Apache Log4j is prone to remote code-execution vulnerability.

Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions.

Apache Log4j 2.0-alpha1 through 2.8.1 are vulnerable.

Information

Bugtraq ID: 97702
Class: Input Validation Error
CVE: CVE-2017-5645

Remote: Yes
Local: No
Published: Apr 17 2017 12:00AM
Updated: Apr 17 2017 09:07PM
Credit: Marcio Almeida de Macedo of Red Team at Telstra.
Vulnerable: Apache Log4j 2.8.1
Apache Log4j 2.0-alpha1

Not Vulnerable: Apache Log4j 2.8.2

References:

• CVE-2017-5645: Apache Log4j socket receiver deserialization vulnerability (Seclists.org)
  
• Add support for filtering input in TcpSocketServer and UdpSocketServer (Apache)
  
• Apache Homepage (Apache)
  
• Log4j Homepage (log4j)
  

Source: www.securityfocus.com