This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Apache First view 2019-12-20
Product log4j Last view 2020-04-27
Version * Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:apache:log4j

Activity : Overall

Related : CVE

  Date Alert Description
3.7 2020-04-27 CVE-2020-9488

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

9.8 2019-12-20 CVE-2019-17571

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CWE : Common Weakness Enumeration

%idName
50% (1) CWE-502 Deserialization of Untrusted Data
50% (1) CWE-295 Certificate Issues

Snort® IPS/IDS

Date Description
2020-04-21 Apache Log4j SocketServer insecure deserialization remote code execution attempt
RuleID : 53475 - Type : SERVER-OTHER - Revision : 1