CVE-2019-17571
Deserialization of Untrusted Data vulnerability in log4j (Maven)
What is CVE-2019-17571 About?
This vulnerability in Log4j 1.2's `SocketServer` class allows deserialization of untrusted data, leading to remote code execution. Attackers can exploit this by sending crafted serialized objects to a listening server when a deserialization gadget is available. Exploitation is severe and can lead to full system compromise.
Affected Software
Technical Details
The SocketServer class in Log4j versions 1.2 up to 1.2.17 is susceptible to deserialization of untrusted data. This server is designed to listen for log data over a network, but it deserializes incoming objects without sufficient validation. An attacker can transmit a specially crafted serialized Java object over the network to the SocketServer. If a deserialization gadget (a class on the classpath whose constructor or methods can be abused during deserialization) is present in the application's environment, the attacker's malicious object can trigger arbitrary code execution on the server. This is a classic deserialization vulnerability combined with remote accessibility.
What is the Impact of CVE-2019-17571?
Successful exploitation may allow attackers to execute arbitrary code, gain full control over the affected system, exfiltrate sensitive data, or disrupt service availability.
What is the Exploitability of CVE-2019-17571?
Exploitation of this Deserialization of Untrusted Data vulnerability in Log4j 1.2 is of moderate complexity, but highly impactful. It requires an attacker to be able to send arbitrary serialized Java objects to a running Log4j SocketServer instance. A critical prerequisite is the presence of a deserialization gadget on the classpath of the target application that the attacker can leverage for code execution. No authentication is required to send data to the SocketServer if it's publicly exposed to network traffic. This is a remote attack vector. The existence of a proof-of-concept makes exploitation more accessible. Environments with publicly accessible Log4j SocketServer instances and rich classpaths are particularly at risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| shadow-horse | Link | Apache Log4j 1.2.X存在反序列化远程代码执行漏洞 |
| HynekPetrak | Link | Fastest filesystem scanner for log4shell (CVE-2021-44228, CVE-2021-45046) and other vulnerable (CVE-2017-5645, CVE-2019-17571, CVE-2022-23305, CVE-2022-23307 ... ) instances of log4j library.... |
| Al1ex | Link | Environment for CVE_2019_17571 |
What are the Available Fixes for CVE-2019-17571?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html
- https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78%40%3Cissues.activemq.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/r7a1acc95373105169bd44df710c2f462cad31fb805364d2958a5ee03@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740@%3Ccommits.druid.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-17571?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2021-45046 , CVE-2021-45105 , CVE-2017-7525 , CVE-2015-7581
