CVE-2017-5645 in Ubuntu

CVE-2017-5645

Priority

Description

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP
socket server to receive serialized log events from another application, a
specially crafted binary payload can be sent that, when deserialized, can
execute arbitrary code.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
https://issues.apache.org/jira/browse/LOG4J2-1863
http://www.openwall.com/lists/oss-security/2017/04/17/2
https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc192

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860489

Notes

Package

Source: apache-log4j2 (LP Ubuntu Debian)

Upstream:	released (2.7-2)
Ubuntu 18.04 LTS:	not-affected (2.10.0-2)
Ubuntu 20.04 LTS:	not-affected (2.10.0-2)
Ubuntu 21.10:	not-affected (2.10.0-2)
Ubuntu 16.04 ESM:	needs-triage
Ubuntu 22.04 LTS:	not-affected (2.10.0-2)
Ubuntu 14.04 ESM:	DNE

Patches:

More Information

Mitre
NVD
Launchpad
Debian

Updated: 2022-04-25 00:21:41 UTC (commit ecc1009cb19540b950de59270950018900f37f15)