CVE-2017-5645: Socket receiver deserialization vulnerability

April 17, 2017 (updated June 19, 2019)

When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

References

www.securityfocus.com/bid/97702
www.securitytracker.com/id/1040200
www.securitytracker.com/id/1041294
issues.apache.org/jira/browse/LOG4J2-1863
nvd.nist.gov/vuln/detail/CVE-2017-5645

Detect and mitigate CVE-2017-5645 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →