CVE-2017-5645 High Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2017-5645 - High Severity Vulnerability

Vulnerable Library - log4j-core-2.6.1.jar

path: 2/repository/org/apache/logging/log4j/log4j-core/2.6.1/log4j-core-2.6.1.jar

Library home page: http://logging.apache.org/log4j/2.x/log4j-core/

Dependency Hierarchy:

• ❌ log4j-core-2.6.1.jar (Vulnerable Library)

Found in commit: 1aa940b5f2b478d3b18c1d6cb0bf99cdca11330d

Vulnerability Details

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Publish Date: 2017-04-17

URL: CVE-2017-5645

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: apache/logging-log4j2@5dcc192

Release Date: 2017-04-02

Fix Resolution: Replace or update the following files: AbstractSocketServer.java, TcpSocketServer.java, FilteredObjectInputStream.java, ObjectInputStreamLogEventBridge.java, UdpSocketServer.java

---

Step up your Open Source Security Game with WhiteSource here