CVE-2017-5645

Metadata

high
7.5
apache-log4j2
CVE-2017-5645
cve.mitre.org, issues.apache.org, openwall.com, git-wip-us.apache.org, bugs.debian.org
2017-04-17
2017-10-23 14:20
CVE-2017-5645 apache-log4j2
2017-07-20 21:31
2017-06-16 19:22
2017-05-10 23:49
2017-04-18 18:03

Description

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
xenial apache-log4j2 None
zesty apache-log4j2 None

Unaffected

Release Package Reason
precise apache-log4j2 DNE
precise/esm apache-log4j2 DNE
trusty apache-log4j2 DNE
vivid/stable-phone-overlay apache-log4j2 DNE
vivid/ubuntu-core apache-log4j2 DNE
yakkety apache-log4j2 ignored

Needs Triage

Release Package Reason
upstream apache-log4j2 needs-triage
artful apache-log4j2 needs-triage
devel apache-log4j2 needs-triage