Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2019-17571

Description

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

POC

Reference

- https://lists.apache.org/thread.html/r6236b5f8646d48af8b66d5050f288304016840788e508c883356fe0e@%3Clog4j-user.logging.apache.org%3E

- https://www.oracle.com/security-alerts/cpuApr2021.html

- https://www.oracle.com/security-alerts/cpuapr2020.html

- https://www.oracle.com/security-alerts/cpuapr2022.html

- https://www.oracle.com/security-alerts/cpujul2020.html

- https://www.oracle.com/security-alerts/cpujul2022.html

Github

- https://github.com/0xT11/CVE-POC

- https://github.com/20142995/nuclei-templates

- https://github.com/7hang/cyber-security-interview

- https://github.com/ARPSyndicate/cvemon

- https://github.com/AdeliaNitzsche/Java-Deserialization-Cheat-Sheet

- https://github.com/Al1ex/CVE-2019-17571

- https://github.com/AlexanderBrese/ubiquitous-octo-guacamole

- https://github.com/BrittanyKuhn/javascript-tutorial

- https://github.com/DataTranspGit/Jasper-Starter

- https://github.com/GavinStevensHoboken/log4j

- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet

- https://github.com/HUB-ROOT/Dockerizing-jasperstarter-3.6.2

- https://github.com/HackJava/HackLog4j2

- https://github.com/HackJava/Log4j2

- https://github.com/HynekPetrak/log4shell-finder

- https://github.com/Live-Hack-CVE/CVE-2019-17571

- https://github.com/NetW0rK1le3r/awesome-hacking-lists

- https://github.com/OWASP/www-project-ide-vulscanner

- https://github.com/PalindromeLabs/Java-Deserialization-CVEs

- https://github.com/RajuYelagattu/gopi

- https://github.com/Retr0-ll/2023-littleTerm

- https://github.com/Retr0-ll/littleterm

- https://github.com/RihanaDave/logging-log4j1-main

- https://github.com/SarthakShieldersoft/TestVWA

- https://github.com/Schnitker/log4j-min

- https://github.com/SexyBeast233/SecBooks

- https://github.com/albert-liu435/logging-log4j-1_2_17

- https://github.com/alphaSeclab/sec-daily-2019

- https://github.com/apache/logging-log4j1

- https://github.com/averemee-si/oracdc

- https://github.com/ben-smash/l4j-info

- https://github.com/brunsu/woodswiki

- https://github.com/cenote/jasperstarter

- https://github.com/chairkb/openhtmltopdf

- https://github.com/colin-pm/py-vex

- https://github.com/colin-pm/vexipy

- https://github.com/cyb3r-w0lf/nuclei-template-collection

- https://github.com/danfickle/openhtmltopdf

- https://github.com/davejwilson/azure-spark-pools-log4j

- https://github.com/dbzoo/log4j_scanner

- https://github.com/developer3000S/PoC-in-GitHub

- https://github.com/eeenvik1/scripts_for_YouTrack

- https://github.com/emilywang0/CVE_testing_VULN

- https://github.com/emilywang0/MergeBase_test_vuln

- https://github.com/fat-tire/floreantpos

- https://github.com/girishatindra/basic-vulnerability-assessment

- https://github.com/hammadrauf/jasperstarter-fork

- https://github.com/hectorgie/PoC-in-GitHub

- https://github.com/helsecert/CVE-2021-44228

- https://github.com/hillu/local-log4j-vuln-scanner

- https://github.com/ingolemv/vulnerability_management

- https://github.com/janimakinen/hello-world-apache-wicket

- https://github.com/jaspervanderhoek/MicroflowScheduledEventManager

- https://github.com/jo4dan/Vulnerability-Scan-Using-Nessus-Essentials

- https://github.com/lel99999/dev_MesosRI

- https://github.com/logpresso/CVE-2021-44228-Scanner

- https://github.com/ltslog/ltslog

- https://github.com/mad1c/log4jchecker

- https://github.com/mahiratan/apache

- https://github.com/marklogic/marklogic-contentpump

- https://github.com/mishmashclone/GrrrDog-Java-Deserialization-Cheat-Sheet

- https://github.com/n0-traces/cve_monitor

- https://github.com/netricsag/log4j-scanner

- https://github.com/orgTestCodacy11KRepos110MB/repo-5360-openhtmltopdf

- https://github.com/pen4uin/awesome-vulnerability-research

- https://github.com/pen4uin/vulnerability-research

- https://github.com/pen4uin/vulnerability-research-list

- https://github.com/readloud/Awesome-Stars

- https://github.com/rodriguezcappsec/java-vulnerabilities

- https://github.com/sa-ne/FixSigTrack

- https://github.com/samuelabdelsayed/insecure-app

- https://github.com/shadow-horse/CVE-2019-17571

- https://github.com/spashx/cyclonedx2cytoscape

- https://github.com/thl-cmk/CVE-log4j-check_mk-plugin

- https://github.com/trhacknon/CVE-2021-44228-Scanner

- https://github.com/trhacknon/log4shell-finder

- https://github.com/woods-sega/woodswiki

- https://github.com/x-f1v3/Vulnerability_Environment

- https://github.com/xbl2022/awesome-hacking-lists

- https://github.com/yahoo/cubed