vulnerability
Red Hat JBoss EAP: CVE-2017-5645: Deserialization of Untrusted Data
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Apr 2, 2017 | Sep 19, 2024 | Jul 2, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Apr 2, 2017
Added
Sep 19, 2024
Modified
Jul 2, 2025
Description
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.. It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-502
- CVE-2017-5645
- https://attackerkb.com/topics/CVE-2017-5645
- URL-https://access.redhat.com/security/cve/CVE-2017-5645
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=1443635
- URL-https://access.redhat.com/errata/RHSA-2017:2633
- URL-https://access.redhat.com/errata/RHSA-2017:2635
- URL-https://access.redhat.com/errata/RHSA-2017:2636
- URL-https://access.redhat.com/errata/RHSA-2017:2637
- URL-https://access.redhat.com/errata/RHSA-2017:2638
- URL-https://access.redhat.com/errata/RHSA-2017:2808
- URL-https://access.redhat.com/errata/RHSA-2017:2809
- URL-https://access.redhat.com/errata/RHSA-2017:2810
- URL-https://access.redhat.com/errata/RHSA-2017:2811
- URL-https://access.redhat.com/errata/RHSA-2017:3399
- URL-https://access.redhat.com/errata/RHSA-2017:3400
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.