CVE-2019-17571: Deserialization of Untrusted Data

January 6, 2020 (updated October 12, 2023)

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

References

lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html
github.com/advisories/GHSA-2qrg-x229-3v8q
lists.debian.org/debian-lts-announce/2020/01/msg00008.html
nvd.nist.gov/vuln/detail/CVE-2019-17571
security.netapp.com/advisory/ntap-20200110-0001/

Detect and mitigate CVE-2019-17571 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →