2017-04-17 23:59:00 2020-08-31 16:15:00

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL
Oracle Siebel ui framework 18.9 * * * (not an official CPE) Oracle Soa suite 12.1.3.0.0 * * * (not an official CPE) Oracle Siebel ui framework 18.8 * * * (not an official CPE) Oracle Siebel ui framework 18.7 * * * (not an official CPE) Oracle Retail predictive application server 15.0.3 * * * (not an official CPE) Oracle Retail open commerce platform 6.0.1 * * * (not an official CPE) Oracle Retail open commerce platform 6.0.0 * * * (not an official CPE) Oracle Soa suite 12.2.2.0.0 * * * (not an official CPE) Oracle Retail open commerce platform 5.3.0 * * * (not an official CPE) Oracle Retail integration bus 15.0 * * * (not an official CPE) Oracle Retail integration bus 16.0 * * * (not an official CPE) Oracle Retail extract transform and load 13.2 * * * (not an official CPE) Oracle Retail integration bus 14.0.0 * * * (not an official CPE) Oracle Retail integration bus 14.1.0 * * * (not an official CPE) Oracle Retail extract transform and load 13.1 * * * (not an official CPE) Oracle Retail extract transform and load 13.0 * * * (not an official CPE) Oracle Retail clearance optimization engine 14.0.5 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.2.10 * * * (not an official CPE) Oracle Utilities work and asset management 1.9.1.2.12 * * * (not an official CPE) Oracle Tape library acsls 8.4 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.2.9 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.2.7 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.2.8 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.2.6 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.2.5 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.2.4 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.2.3 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.1.1 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.2.0 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.2.1 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.2.2 * * * (not an official CPE) Oracle Policy automation for mobile devices 12.1.0 * * * (not an official CPE) Oracle Policy automation 12.2.10 * * * (not an official CPE) Oracle Policy automation connector for siebel 10.4.6 * * * (not an official CPE) Oracle Policy automation for mobile devices 10.4.7 * * * (not an official CPE) Oracle Policy automation 12.2.9 * * * (not an official CPE) Oracle Policy automation 12.2.8 * * * (not an official CPE) Oracle Policy automation 12.2.7 * * * (not an official CPE) Oracle Policy automation 12.2.6 * * * (not an official CPE) Oracle Policy automation 12.2.5 * * * (not an official CPE) Oracle Policy automation 12.2.4 * * * (not an official CPE) Oracle Policy automation 12.2.3 * * * (not an official CPE) Oracle Policy automation 12.2.2 * * * (not an official CPE) Oracle Policy automation 12.2.1 * * * (not an official CPE) Oracle Policy automation 12.2.0 * * * (not an official CPE) Oracle Policy automation 12.1.1 * * * (not an official CPE) Oracle Policy automation 12.1.0 * * * (not an official CPE) Oracle Policy automation 10.4.7 * * * (not an official CPE) Oracle Peoplesoft enterprise fin install 9.2 * * * (not an official CPE) Oracle Mysql enterprise monitor * * * * (not an official CPE) Oracle Mysql enterprise monitor * * * * (not an official CPE) Oracle Mysql enterprise monitor * * * * (not an official CPE) Oracle Jdeveloper 12.2.1.3.0 * * * (not an official CPE) Oracle Jdeveloper 12.1.3.0.0 * * * (not an official CPE) Oracle Jdeveloper 11.1.1.9.0 * * * (not an official CPE) Oracle Jd edwards enterpriseone tools 9.2 * * * (not an official CPE) Oracle Insurance rules palette 11.1 * * * (not an official CPE) Oracle Insurance policy administration 11.0 * * * (not an official CPE) Oracle Insurance rules palette 11.0 * * * (not an official CPE) Oracle Insurance rules palette 10.2 * * * (not an official CPE) Oracle Insurance rules palette 10.1 * * * (not an official CPE) Oracle Insurance rules palette 10.0 * * * (not an official CPE) Oracle Insurance policy administration 10.2 * * * (not an official CPE) Oracle Insurance policy administration 10.1 * * * (not an official CPE) Oracle Insurance policy administration 10.0 * * * (not an official CPE) Oracle Identity analytics 11.1.1.5.8 * * * (not an official CPE) Oracle Identity management suite 11.1.2.3.0 * * * (not an official CPE) Oracle Fusion middleware mapviewer 12.2.1.3 * * * (not an official CPE) Oracle Goldengate application adapters 12.3.2.1.1 * * * (not an official CPE) Oracle Insurance calculation engine 10.2.1 * * * (not an official CPE) Oracle Insurance calculation engine 10.1.1 * * * (not an official CPE) Oracle Identity management suite 12.2.1.3.0 * * * (not an official CPE) Oracle Fusion middleware mapviewer 12.2.1.2 * * * (not an official CPE) Oracle Flexcube investor servicing 12.4.0 * * * (not an official CPE) Oracle Flexcube investor servicing 14.0.0 * * * (not an official CPE) Oracle Flexcube investor servicing 12.3.0 * * * (not an official CPE) Oracle Flexcube investor servicing 12.0.4 * * * (not an official CPE) Oracle Flexcube investor servicing 12.1.0 * * * (not an official CPE) Oracle Financial services profitability management * * * * (not an official CPE) Oracle Financial services profitability management 6.1.1 * * * (not an official CPE) Oracle Financial services loan loss forecasting and provisioning 8.0.5 * * * (not an official CPE) Oracle Financial services loan loss forecasting and provisioning 8.0.4 * * * (not an official CPE) Oracle Financial services hedge management and ifrs valuations 8.0.5 * * * (not an official CPE) Oracle Financial services hedge management and ifrs valuations 8.0.4 * * * (not an official CPE) Oracle Financial services behavior detection platform * * * * (not an official CPE) Oracle Financial services behavior detection platform 6.1.1 * * * (not an official CPE) Oracle Financial services analytical applications infrastructure * * * * (not an official CPE) Oracle Financial services analytical applications infrastructure * * * * (not an official CPE) Oracle Enterprise manager for peoplesoft 13.2.1.1 * * * (not an official CPE) Oracle Enterprise manager for mysql database * * * * (not an official CPE) Oracle Enterprise manager for oracle database 12.1.0.8 * * * (not an official CPE) Oracle Enterprise manager for oracle database 13.2.2 * * * (not an official CPE) Oracle Enterprise manager for peoplesoft 13.1.1.1 * * * (not an official CPE) Oracle Enterprise manager base platform 13.2.0.0 * * * (not an official CPE) Oracle Enterprise manager for fusion middleware 12.1.0.5 * * * (not an official CPE) Oracle Enterprise manager for fusion middleware 13.2.0.0 * * * (not an official CPE) Oracle Enterprise manager base platform 12.1.0.5 * * * (not an official CPE) Oracle Enterprise data quality 12.2.1.3.0 * * * (not an official CPE) Oracle Communications service broker 6.0 * * * (not an official CPE) Oracle Configuration manager 12.1.2.0.5 * * * (not an official CPE) Oracle Configuration manager 12.1.2.0.2 * * * (not an official CPE) Oracle Communications webrtc session controller * * * * (not an official CPE) Oracle Communications pricing design center 12.0 * * * (not an official CPE) Oracle Communications messaging server * * * * (not an official CPE) Oracle Communications online mediation controller 6.1 * * * (not an official CPE) Oracle Communications pricing design center 11.1 * * * (not an official CPE) Oracle Communications converged application server - service controller 6.1 * * * (not an official CPE) Oracle Bi publisher 12.2.1.4.0 * * * (not an official CPE) Oracle Bi publisher 12.2.1.3.0 * * * (not an official CPE) Oracle Bi publisher 11.1.1.9.0 * * * (not an official CPE) Oracle Bi publisher 11.1.1.7.0 * * * (not an official CPE) Oracle Banking platform 2.6.2 * * * (not an official CPE) Oracle Banking platform 2.6.1 * * * (not an official CPE) Oracle Banking platform 2.6.0 * * * (not an official CPE) Oracle Autovue vuelink integration 21.0.1 * * * (not an official CPE) Oracle Autovue vuelink integration 21.0.0 * * * (not an official CPE) Oracle Api gateway 11.1.2.4.0 * * * (not an official CPE) Netapp Storage automation store - * * * (not an official CPE) Netapp Snapcenter - * * * (not an official CPE) Netapp Service level manager - * * * (not an official CPE) Netapp Oncommand workflow automation - * * * (not an official CPE) Netapp Oncommand insight - * * * (not an official CPE) Netapp Oncommand api services - * * * (not an official CPE) Apache Log4j 2.8.1 * * * (not an official CPE) Apache Log4j 2.8 * * * (not an official CPE) Apache Log4j 2.7 * * * (not an official CPE) Apache Log4j 2.6.2 * * * (not an official CPE) Apache Log4j 2.6.1 * * * (not an official CPE) Apache Log4j 2.6 * * * (not an official CPE) Apache Log4j 2.5 * * * (not an official CPE) Apache Log4j 2.4.1 * * * (not an official CPE) Apache Log4j 2.4 * * * (not an official CPE) Apache Log4j 2.3 * * * (not an official CPE) Apache Log4j 2.2 * * * (not an official CPE) Apache Log4j 2.1 * * * (not an official CPE) Apache Log4j 2.0.2 * * * (not an official CPE) Apache Log4j 2.0.1 * * * (not an official CPE) Apache Log4j 2.0 Rc2 * * (not an official CPE) Apache Log4j 2.0 Rc1 * * (not an official CPE) Apache Log4j 2.0 Beta9 * * (not an official CPE) Apache Log4j 2.0 Beta8 * * (not an official CPE) Apache Log4j 2.0 Beta7 * * (not an official CPE) Apache Log4j 2.0 Beta6 * * (not an official CPE) Apache Log4j 2.0 Beta5 * * (not an official CPE) Apache Log4j 2.0 Beta4 * * (not an official CPE) Apache Log4j 2.0 Beta3 * * (not an official CPE) Apache Log4j 2.0 Beta2 * * (not an official CPE) Apache Log4j 2.0 Beta1 * * (not an official CPE) Apache Log4j 2.0 Alpha2 * * (not an official CPE) Apache Log4j 2.0 Alpha1 * * (not an official CPE)
Oracle - Siebel ui framework Oracle - Soa suite Oracle - Retail predictive application server Oracle - Retail open commerce platform Oracle - Retail integration bus Oracle - Retail extract transform and load Oracle - Retail clearance optimization engine Oracle - Policy automation for mobile devices Oracle - Utilities work and asset management Oracle - Tape library acsls Oracle - Policy automation Oracle - Policy automation connector for siebel Oracle - Peoplesoft enterprise fin install Oracle - Mysql enterprise monitor Oracle - Jdeveloper Oracle - Jd edwards enterpriseone tools Oracle - Insurance rules palette Oracle - Insurance policy administration Oracle - Identity analytics Oracle - Identity management suite Oracle - Fusion middleware mapviewer Oracle - Goldengate application adapters Oracle - Insurance calculation engine Oracle - Flexcube investor servicing Oracle - Financial services profitability management Oracle - Financial services loan loss forecasting and provisioning Oracle - Financial services hedge management and ifrs valuations Oracle - Financial services behavior detection platform Oracle - Financial services analytical applications infrastructure Oracle - Enterprise manager for peoplesoft Oracle - Enterprise manager for mysql database Oracle - Enterprise manager for oracle database Oracle - Enterprise manager base platform Oracle - Enterprise manager for fusion middleware Oracle - Enterprise data quality Oracle - Communications service broker Oracle - Configuration manager Oracle - Communications webrtc session controller Oracle - Communications pricing design center Oracle - Communications messaging server Oracle - Communications online mediation controller Oracle - Communications converged application server - service controller Oracle - Bi publisher Oracle - Banking platform Oracle - Autovue vuelink integration Oracle - Api gateway Redhat - Enterprise linux server tus Redhat - Enterprise linux workstation Redhat - Enterprise linux server eus Redhat - Enterprise linux server aus Redhat - Enterprise linux server Redhat - Enterprise linux desktop Redhat - Enterprise linux Netapp - Storage automation store Netapp - Snapcenter Netapp - Service level manager Netapp - Oncommand workflow automation Netapp - Oncommand insight Netapp - Oncommand api services Apache - Log4j
Advisory Patch Confirmed Link
https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b...
https://www.oracle.com/technetwork/security-advisory/cpu...
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://security.netapp.com/advisory/ntap-20180726-0002/
https://security.netapp.com/advisory/ntap-20181107-0002/
https://www.oracle.com/security-alerts/cpuapr2020.html
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf9...
https://lists.apache.org/thread.html/re8c21ed9dd218c217d...
https://lists.apache.org/thread.html/rf2567488cfc9212b42...
https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02...
https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b...
https://lists.apache.org/thread.html/rb1b29aee737e1c37fe...
https://lists.apache.org/thread.html/rca24a281000fb681d7...
https://lists.apache.org/thread.html/ra9a682bc0a8dff1c5c...
https://lists.apache.org/thread.html/raedd12dc24412b3780...
https://access.redhat.com/errata/RHSA-2017:1801
https://www.oracle.com/technetwork/security-advisory/cpu...
https://www.oracle.com/technetwork/security-advisory/cpu...
https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e...
https://lists.apache.org/thread.html/r681b4432d0605f327b...
https://lists.apache.org/thread.html/r746fbc3fc13aee292a...
https://lists.apache.org/thread.html/r7bcdc710857725c311...
https://lists.apache.org/thread.html/r61590890edcc64140e...
https://lists.apache.org/thread.html/r4b25538be50126194c...
https://lists.apache.org/thread.html/r3d666e4e8905157f3c...
https://lists.apache.org/thread.html/r3a85514a518f3080ab...
https://lists.apache.org/thread.html/r3784834e80df2f2845...
https://lists.apache.org/thread.html/r2ff63f210842a3c5e4...
https://lists.apache.org/thread.html/r18f1c010b554a3a2d7...
https://lists.apache.org/thread.html/r1b103833cb5bc8466e...
https://lists.apache.org/thread.html/r2ce8d26154bea93953...
https://lists.apache.org/thread.html/eea03d504b36e8f870e...
https://lists.apache.org/thread.html/e8fb7d76a244ee997ba...
https://lists.apache.org/thread.html/9317fd092b257a08154...
https://lists.apache.org/thread.html/8ab32b4c9f1826f20ad...
https://lists.apache.org/thread.html/6114ce566200d76e3cc...
https://lists.apache.org/thread.html/84cc4266238e057b95e...
https://lists.apache.org/thread.html/479471e6debd608c837...
https://lists.apache.org/thread.html/277b4b5c2b0e06a825c...
https://lists.apache.org/thread.html/44491fb9cc19acc901f...
https://issues.apache.org/jira/browse/LOG4J2-1863
https://lists.apache.org/thread.html/0dcca05274d20ef2d72...
https://access.redhat.com/errata/RHSA-2017:3400
https://access.redhat.com/errata/RHSA-2019:1545
https://access.redhat.com/errata/RHSA-2017:2811
https://access.redhat.com/errata/RHSA-2017:2888
https://access.redhat.com/errata/RHSA-2017:2889
https://access.redhat.com/errata/RHSA-2017:3244
https://access.redhat.com/errata/RHSA-2017:3399
https://access.redhat.com/errata/RHSA-2017:2809
https://access.redhat.com/errata/RHSA-2017:2810
https://access.redhat.com/errata/RHSA-2017:2808
https://access.redhat.com/errata/RHSA-2017:2638
https://access.redhat.com/errata/RHSA-2017:2636
https://access.redhat.com/errata/RHSA-2017:2637
https://access.redhat.com/errata/RHSA-2017:2635
https://access.redhat.com/errata/RHSA-2017:2423
https://access.redhat.com/errata/RHSA-2017:2633
https://access.redhat.com/errata/RHSA-2017:1417
https://access.redhat.com/errata/RHSA-2017:1802
http://www.securitytracker.com/id/1041294
http://www.securityfocus.com/bid/97702
http://www.securitytracker.com/id/1040200
http://www.oracle.com/technetwork/security-advisory/cpuo...
http://www.oracle.com/technetwork/security-advisory/cpuj...
http://www.oracle.com/technetwork/security-advisory/cpuj...
http://www.oracle.com/technetwork/security-advisory/cpua...
https://www.oracle.com/technetwork/security-advisory/cpu...
http://www.openwall.com/lists/oss-security/2019/12/19/2