Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Filtered by product Log4j
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-9488 2 Apache, Oracle 36 Log4j, Communications Application Session Controller, Communications Billing And Revenue Management and 33 more 2021-10-20 4.3 MEDIUM 3.7 LOW
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
CVE-2017-5645 4 Apache, Netapp, Oracle and 1 more 60 Log4j, Oncommand Api Services, Oncommand Insight and 57 more 2021-10-20 7.5 HIGH 9.8 CRITICAL
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
CVE-2019-17571 6 Apache, Canonical, Debian and 3 more 15 Log4j, Ubuntu Linux, Debian Linux and 12 more 2021-10-18 7.5 HIGH 9.8 CRITICAL
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.