CVE-2017-5645

critical

Published 2017-04-17 · Modified 2024-03-14

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

9.8

Description

Deserialization of Untrusted Data in Log4j

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact

Red Hat Affected 7 releases

Version	Status	Fixed in
7.6	Affected	—
7.5	Affected	—
7.4	Affected	—
7.3	Affected	—
7.0	Affected	—
6.7	Affected	—
6.0	Affected	—

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.7-2`
sid	Fixed	`2.7-2`
forky	Fixed	`2.7-2`
bullseye	Fixed	`2.7-2`
bookworm	Fixed	`2.7-2`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.apache.logging.log4j:log4j	`>=2.0,<2.8.2`	`2.8.2`
Maven	org.apache.logging.log4j:log4j-core	`>=2.0,<2.8.2`	`2.8.2`

Application impact

Vendor	Product	Versions	Fixed
apache	log4j	`{"startIncluding":"2.0","endExcluding":"2.8.2"}`	`2.8.2`
netapp	oncommand_api_services	`-`
netapp	oncommand_insight	`-`
netapp	oncommand_workflow_automation	`-`
netapp	service_level_manager	`-`
netapp	snapcenter	`-`
netapp	storage_automation_store	`-`
redhat	fuse	`1.0`
oracle	api_gateway	`11.1.2.4.0`
oracle	application_testing_suite	`13.3.0.1`
oracle	autovue_vuelink_integration	`21.0.0`
oracle	autovue_vuelink_integration	`21.0.1`
oracle	banking_platform	`2.6.0`
oracle	banking_platform	`2.6.1`
oracle	banking_platform	`2.6.2`
oracle	bi_publisher	`11.1.1.7.0`
oracle	bi_publisher	`11.1.1.9.0`
oracle	bi_publisher	`12.2.1.3.0`
oracle	bi_publisher	`12.2.1.4.0`
oracle	communications_converged_application_server_-_service_controller	`6.1`
oracle	communications_instant_messaging_server	`10.0.1.3.0`
oracle	communications_interactive_session_recorder	`{"startIncluding":"6.0","endIncluding":"6.2"}`
oracle	communications_messaging_server	`{"endExcluding":"8.0.2"}`	`8.0.2`
oracle	communications_network_integrity	`{"startIncluding":"7.3.2","endIncluding":"7.3.6"}`
oracle	communications_online_mediation_controller	`6.1`
oracle	communications_pricing_design_center	`11.1`
oracle	communications_pricing_design_center	`12.0`
oracle	communications_service_broker	`6.0`
oracle	communications_webrtc_session_controller	`{"endExcluding":"7.2"}`	`7.2`
oracle	configuration_manager	`12.1.2.0.2`
oracle	configuration_manager	`12.1.2.0.5`
oracle	endeca_information_discovery_studio	`3.2.0`
oracle	enterprise_data_quality	`12.2.1.3.0`
oracle	enterprise_manager_base_platform	`12.1.0.5`
oracle	enterprise_manager_base_platform	`13.2.0.0`
oracle	enterprise_manager_for_fusion_middleware	`12.1.0.5`
oracle	enterprise_manager_for_fusion_middleware	`13.2.0.0`
oracle	enterprise_manager_for_mysql_database	`{"endIncluding":"13.2.2.0.0"}`
oracle	enterprise_manager_for_oracle_database	`12.1.0.8`
oracle	enterprise_manager_for_oracle_database	`13.2.2`
oracle	enterprise_manager_for_peoplesoft	`13.1.1.1`
oracle	enterprise_manager_for_peoplesoft	`13.2.1.1`
oracle	retail_extract_transform_and_load	`13.2`
oracle	financial_services_analytical_applications_infrastructure	`{"startIncluding":"7.3.3.0.0","endIncluding":"7.3.3.0.2"}`
oracle	financial_services_behavior_detection_platform	`{"startIncluding":"8.0.0.0.0","endIncluding":"8.0.4.0.0"}`
oracle	financial_services_behavior_detection_platform	`6.1.1`
oracle	financial_services_hedge_management_and_ifrs_valuations	`8.0.4`
oracle	financial_services_hedge_management_and_ifrs_valuations	`8.0.5`
oracle	financial_services_lending_and_leasing	`{"startIncluding":"14.1.0","endIncluding":"14.8.0"}`
oracle	financial_services_lending_and_leasing	`12.5.0`
oracle	financial_services_loan_loss_forecasting_and_provisioning	`8.0.4`
oracle	financial_services_loan_loss_forecasting_and_provisioning	`8.0.5`
oracle	financial_services_profitability_management	`{"startIncluding":"8.0.0.0.0","endIncluding":"8.0.7.0.0"}`
oracle	financial_services_profitability_management	`6.1.1`
oracle	financial_services_regulatory_reporting_with_agilereporter	`8.0.9.2.0`
oracle	flexcube_investor_servicing	`12.0.4`
oracle	flexcube_investor_servicing	`12.1.0`
oracle	flexcube_investor_servicing	`12.3.0`
oracle	flexcube_investor_servicing	`12.4.0`
oracle	flexcube_investor_servicing	`14.0.0`
oracle	fusion_middleware_mapviewer	`12.2.1.2`
oracle	fusion_middleware_mapviewer	`12.2.1.3`
oracle	goldengate	`12.3.2.1.1`
oracle	goldengate_application_adapters	`12.3.2.1.1`
oracle	identity_analytics	`11.1.1.5.8`
oracle	identity_management_suite	`11.1.2.3.0`
oracle	identity_management_suite	`12.2.1.3.0`
oracle	identity_manager_connector	`9.0`
oracle	in-memory_performance-driven_planning	`12.1`
oracle	in-memory_performance-driven_planning	`12.2`
oracle	instantis_enterprisetrack	`{"startIncluding":"17.1","endIncluding":"17.3"}`
oracle	insurance_calculation_engine	`10.1.1`
oracle	insurance_calculation_engine	`10.2.1`
oracle	insurance_policy_administration	`10.0`
oracle	insurance_policy_administration	`10.1`
oracle	insurance_policy_administration	`10.2`
oracle	insurance_policy_administration	`11.0`
oracle	insurance_rules_palette	`10.0`
oracle	insurance_rules_palette	`10.1`
oracle	insurance_rules_palette	`10.2`
oracle	insurance_rules_palette	`11.0`
oracle	insurance_rules_palette	`11.1`
oracle	jd_edwards_enterpriseone_tools	`4.0.1.0`
oracle	jd_edwards_enterpriseone_tools	`9.2`
oracle	jdeveloper	`11.1.1.9.0`
oracle	jdeveloper	`12.1.3.0.0`
oracle	jdeveloper	`12.2.1.3.0`
oracle	mysql_enterprise_monitor	`{"startIncluding":"3.4.0.0","endIncluding":"3.4.7.4297"}`
oracle	peoplesoft_enterprise_fin_install	`9.2`
oracle	policy_automation	`10.4.7`
oracle	policy_automation	`12.1.0`
oracle	policy_automation	`12.1.1`
oracle	policy_automation	`12.2.0`
oracle	policy_automation	`12.2.1`
oracle	policy_automation	`12.2.2`
oracle	policy_automation	`12.2.3`
oracle	policy_automation	`12.2.4`
oracle	policy_automation	`12.2.5`
oracle	policy_automation	`12.2.6`
oracle	policy_automation	`12.2.7`
oracle	policy_automation	`12.2.8`
oracle	policy_automation	`12.2.9`
oracle	policy_automation	`12.2.10`
oracle	policy_automation_connector_for_siebel	`10.4.6`
oracle	policy_automation_for_mobile_devices	`10.4.7`
oracle	policy_automation_for_mobile_devices	`12.1.0`
oracle	policy_automation_for_mobile_devices	`12.1.1`
oracle	policy_automation_for_mobile_devices	`12.2.0`
oracle	policy_automation_for_mobile_devices	`12.2.1`
oracle	policy_automation_for_mobile_devices	`12.2.2`
oracle	policy_automation_for_mobile_devices	`12.2.3`
oracle	policy_automation_for_mobile_devices	`12.2.4`
oracle	policy_automation_for_mobile_devices	`12.2.5`
oracle	policy_automation_for_mobile_devices	`12.2.6`
oracle	policy_automation_for_mobile_devices	`12.2.7`
oracle	policy_automation_for_mobile_devices	`12.2.8`
oracle	policy_automation_for_mobile_devices	`12.2.9`
oracle	policy_automation_for_mobile_devices	`12.2.10`
oracle	primavera_gateway	`{"startIncluding":"16.2.0","endIncluding":"16.2.11"}`
oracle	rapid_planning	`12.1`
oracle	rapid_planning	`12.2`
oracle	retail_advanced_inventory_planning	`14.0`
oracle	retail_advanced_inventory_planning	`15.0`
oracle	retail_clearance_optimization_engine	`14.0.5`
oracle	retail_extract_transform_and_load	`13.0`
oracle	retail_extract_transform_and_load	`13.1`
oracle	retail_extract_transform_and_load	`19.0`
oracle	retail_integration_bus	`14.0.0`
oracle	retail_integration_bus	`14.1.0`
oracle	retail_integration_bus	`15.0`
oracle	retail_integration_bus	`16.0`
oracle	retail_open_commerce_platform	`5.3.0`
oracle	retail_open_commerce_platform	`6.0.0`
oracle	retail_open_commerce_platform	`6.0.1`
oracle	retail_predictive_application_server	`15.0.3`
oracle	retail_service_backbone	`14.1`
oracle	retail_service_backbone	`15.0`
oracle	retail_service_backbone	`16.0`
oracle	siebel_ui_framework	`18.7`
oracle	siebel_ui_framework	`18.8`
oracle	siebel_ui_framework	`18.9`
oracle	soa_suite	`12.1.3.0.0`
oracle	soa_suite	`12.2.1.3.0`
oracle	soa_suite	`12.2.2.0.0`
oracle	tape_library_acsls	`8.4`
oracle	timesten_in-memory_database	`11.2.2.8.49`
oracle	utilities_advanced_spatial_and_operational_analytics	`2.7.0.1`
oracle	utilities_work_and_asset_management	`1.9.1.2.12`
oracle	weblogic_server	`10.3.6.0.0`
oracle	weblogic_server	`12.1.3.0.0`
oracle	weblogic_server	`12.2.1.3.0`
oracle	weblogic_server	`12.2.1.4.0`
oracle	weblogic_server	`14.1.1.0.0`

References

CWEs

CWE-502

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.