CVE编号
CVE-2019-17571利用情况
EXP 已公开补丁情况
官方补丁披露时间
2019-12-21漏洞描述
Apache Log4j是美国阿帕奇(Apache)软件基金会的一款基于Java的开源日志记录工具。 log4j1.2中包含一个SocketServer类,该类易受不可信数据反序列化的攻击,当监听日志数据的不可信网络流量时,该类与反序列化小工具结合使用,可远程执行任意代码。这会影响到1.2到1.2.17的Log4j版本。解决建议
1、Log4j 1.2.x版本已不再维护,建议用户升级Log4j至2.8.2安全版本:https://logging.apache.org/log4j/2.x/2、未使用Log4j SocketServer类将不受此漏洞影响,建议自查并禁止使用该类创建监听服务。
参考链接 |
|
|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html | |
| https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d... | |
| https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f1563... | |
| https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4... | |
| https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002... | |
| https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac157... | |
| https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec... | |
| https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89... | |
| https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16... | |
| https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d... | |
| https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170... | |
| https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8... | |
| https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8... | |
| https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bc... | |
| https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a70533... | |
| https://lists.apache.org/thread.html/r1b7734dfdfd938640f2f5fb6f4231a267145c71... | |
| https://lists.apache.org/thread.html/r26244f9f7d9a8a27a092eb0b2a0ca9395e88fcd... | |
| https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747... | |
| https://lists.apache.org/thread.html/r2756fd570b6709d55a61831ca028405bcb3e312... | |
| https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5... | |
| https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d07... | |
| https://lists.apache.org/thread.html/r3543ead2317dcd3306f69ee37b07dd383dbba6e... | |
| https://lists.apache.org/thread.html/r356d57d6225f91fdc30f8b0a2bed229d1ece55e... | |
| https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a... | |
| https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67c... | |
| https://lists.apache.org/thread.html/r3bf7b982dfa0779f8a71f843d2aa6b4184a53e6... | |
| https://lists.apache.org/thread.html/r3c575cabc7386e646fb12cb82b0b38ae5a6ade8... | |
| https://lists.apache.org/thread.html/r3cf50d05ce8cec8c09392624b7bae750e7643da... | |
| https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519... | |
| https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16... | |
| https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12... | |
| https://lists.apache.org/thread.html/r4ac89cbecd9e298ae9fafb5afda6fa77ac75c78... | |
| https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71b... | |
| https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef6359... | |
| https://lists.apache.org/thread.html/r594411f4bddebaf48a4c70266d0b7849e0d82bb... | |
| https://lists.apache.org/thread.html/r5c084578b3e3b40bd903c9d9e525097421bcd88... | |
| https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a... | |
| https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee... | |
| https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee... | |
| https://lists.apache.org/thread.html/r6236b5f8646d48af8b66d5050f2883040168407... | |
| https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d0... | |
| https://lists.apache.org/thread.html/r696507338dd5f44efc23d98cafe30f217cf3ba7... | |
| https://lists.apache.org/thread.html/r6aec6b8f70167fa325fb98b3b5c9ce0ffaed026... | |
| https://lists.apache.org/thread.html/r6b45a2fcc8e98ac93a179183dbb7f340027bdb8... | |
| https://lists.apache.org/thread.html/r6d34da5a0ca17ab08179a30c971446c7421af0e... | |
| https://lists.apache.org/thread.html/r71e26f9c2d5826c6f95ad60f7d052d75e1e70b0... | |
| https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a6... | |
| https://lists.apache.org/thread.html/r7a1acc95373105169bd44df710c2f462cad31fb... | |
| https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af... | |
| https://lists.apache.org/thread.html/r7f462c69d5ded4c0223e014d95a3496690423c5... | |
| https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a9... | |
| https://lists.apache.org/thread.html/r8418a0dff1729f19cf1024937e23a2db4c0f94f... | |
| https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255... | |
| https://lists.apache.org/thread.html/r8a1cfd4705258c106e488091fcec85f194c82f2... | |
| https://lists.apache.org/thread.html/r8c392ca48bb7e50754e4bc05865e9731b23d568... | |
| https://lists.apache.org/thread.html/r8c6300245c0bcef095e9f07b48157e2c6471df0... | |
| https://lists.apache.org/thread.html/r8d78a0fbb56d505461e29868d1026e98c402e6a... | |
| https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950... | |
| https://lists.apache.org/thread.html/r909b8e3a36913944d3b7bafe9635d4ca84f8f0e... | |
| https://lists.apache.org/thread.html/r90c23eb8c82835fa82df85ae5e88c81fd9241e2... | |
| https://lists.apache.org/thread.html/r944183c871594fe9a555b8519a7c945bbcf6714... | |
| https://lists.apache.org/thread.html/r9a9e3b42cd5d1c4536a14ef04f75048dec8e274... | |
| https://lists.apache.org/thread.html/r9d0d03f2e7d9e13c68b530f81d02b0fec33133e... | |
| https://lists.apache.org/thread.html/r9d2e28e71f91ba0b6f4114c8ecd96e2b1f7e0d0... | |
| https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2... | |
| https://lists.apache.org/thread.html/r9fb3238cfc3222f2392ca6517353aadae18f768... | |
| https://lists.apache.org/thread.html/ra18a903f785aed9403aea38bc6f36844a056283... | |
| https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fad... | |
| https://lists.apache.org/thread.html/ra54fa49be3e773d99ccc9c2a422311cf77e3ecd... | |
| https://lists.apache.org/thread.html/ra9611a8431cb62369bce8909d7645597e1dd45c... | |
| https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a7277... | |
| https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5dee... | |
| https://lists.apache.org/thread.html/rb3c94619728c8f8c176d8e175e0a1086ca737ec... | |
| https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851... | |
| https://lists.apache.org/thread.html/rbd19de368abf0764e4383ec44d527bc9870176f... | |
| https://lists.apache.org/thread.html/rbdf18e39428b5c80fc35113470198b1fe53b287... | |
| https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af... | |
| https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af... | |
| https://lists.apache.org/thread.html/rc17d8491beee51607693019857e41e769795366... | |
| https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1... | |
| https://lists.apache.org/thread.html/rc628307962ae1b8cc2d21b8e4b7dd6d7755b2dd... | |
| https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a... | |
| https://lists.apache.org/thread.html/rcd71280585425dad7e232f239c5709e425efdd0... | |
| https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2... | |
| https://lists.apache.org/thread.html/rd3a9511eebab60e23f224841390a3f8cd5358cf... | |
| https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072... | |
| https://lists.apache.org/thread.html/rd6254837403e8cbfc7018baa9be29705f3f06bd... | |
| https://lists.apache.org/thread.html/rd7805c1bf9388968508c6c8f84588773216e560... | |
| https://lists.apache.org/thread.html/rd882ab6b642fe59cbbe94dc02bd197342058208... | |
| https://lists.apache.org/thread.html/rda4849c6823dd3e83c7a356eb883180811d5c28... | |
| https://lists.apache.org/thread.html/rdb7ddf28807e27c7801f6e56a0dfb31092d34c6... | |
| https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556... | |
| https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae7134741527606... | |
| https://lists.apache.org/thread.html/re36da78e4f3955ba6c1c373a2ab85a4deb215ca... | |
| https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b08... | |
| https://lists.apache.org/thread.html/reaf6b996f74f12b4557bc221abe88f58270ac58... | |
| https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d... | |
| https://lists.apache.org/thread.html/rf1b434e11834a4449cd7addb69ed0aef0923112... | |
| https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e48... | |
| https://lists.apache.org/thread.html/rf53eeefb7e7e524deaacb9f8671cbf01b8a253e... | |
| https://lists.apache.org/thread.html/rf77f79699c8d7e430c14cf480f12ed1297e6e8c... | |
| https://lists.apache.org/thread.html/rf9c19bcc2f7a98a880fa3e3456c003d331812b5... | |
| https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0... | |
| https://lists.apache.org/thread.html/rfdf65fa675c64a64459817344e0e6c44d51ee26... | |
| https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html | |
| https://security.netapp.com/advisory/ntap-20200110-0001/ | |
| https://usn.ubuntu.com/4495-1/ | |
| https://www.debian.org/security/2020/dsa-4686 | |
| https://www.oracle.com/security-alerts/cpuapr2020.html | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | |
| https://www.oracle.com/security-alerts/cpujul2020.html |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | apache | log4j | * |
From (including) 1.2 |
Up to (including) 1.2.17 |
||||
| 运行在以下环境 | |||||||||
| 系统 | amazon_AMI | log4j | * |
Up to (excluding) 1.2.17-16.12.amzn1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | log4j | * |
Up to (excluding) 1.2.17-8+deb10u1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_8 | log4j | * |
Up to (excluding) 1.2.17-5+deb8u1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_9 | log4j | * |
Up to (excluding) 1.2.17-7+deb9u1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.1 | log4j | * |
Up to (excluding) 1.2.17-lp151.5.3.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12_SP4 | log4j | * |
Up to (excluding) 1.2.15-126.3.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12_SP5 | log4j | * |
Up to (excluding) 1.2.15-126.3.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_18.04 | log4j | * |
Up to (excluding) 1.2.17-8+deb10u1build0.18.04.1 |
|||||
- 攻击路径 远程
- 攻击复杂度 容易
- 权限要求 无需权限
- 影响范围 全局影响
- EXP成熟度 EXP 已公开
- 补丁情况 官方补丁
- 数据保密性 数据泄露
- 数据完整性 传输被破坏
- 服务器危害 服务器失陷
- 全网数量 100
还没有评论,来说两句吧...