CVE-2019-17571

Q: What is the severity of CVE-2019-17571?

CVE-2019-17571 has a CVSS score of 9.8 (CRITICAL). CVE-2019-17571 is a critical deserialization vulnerability in Log4j 1.2's SocketServer class that allows remote code execution when untrusted data is deserialized. Attackers can exploit this by sending malicious serialized objects to vulnerable SocketServer instances, potentially taking full control of affected systems. This affects all applications using Log4j 1.2 up to version 1.2.17 with SocketServer enabled.

9.8 CRITICAL

Remote Code Execution Deserialization

📋 TL;DR

CVE-2019-17571 is a critical deserialization vulnerability in Log4j 1.2's SocketServer class that allows remote code execution when untrusted data is deserialized. Attackers can exploit this by sending malicious serialized objects to vulnerable SocketServer instances, potentially taking full control of affected systems. This affects all applications using Log4j 1.2 up to version 1.2.17 with SocketServer enabled.

💻 Affected Systems

Products:

Apache Log4j

Versions: 1.2 up to and including 1.2.17

Operating Systems: All operating systems running Java

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when SocketServer is explicitly enabled and configured to listen for network traffic. Default Log4j configurations do not enable SocketServer.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to execute arbitrary commands, install malware, or pivot to other systems in the network.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to SocketServer ports.

🌐 Internet-Facing: HIGH - SocketServer exposed to internet traffic creates immediate exploitation risk due to unauthenticated remote code execution.

🏢 Internal Only: MEDIUM - Internal network exposure still presents significant risk, especially in flat networks or if attackers gain internal foothold.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires SocketServer to be enabled and accessible. Public exploit code exists and leverages Java deserialization gadgets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Log4j 1.2.17 with additional security fixes or upgrade to Log4j 2.x

Vendor Advisory: https://logging.apache.org/log4j/1.2/

Restart Required: Yes

Instructions:

1. Upgrade to Log4j 1.2.17 with security patches or migrate to Log4j 2.x. 2. Replace log4j-1.2.17.jar with patched version. 3. Restart all Java applications using Log4j. 4. Verify no vulnerable versions remain in dependencies.

🔧 Temporary Workarounds

Disable SocketServer

all

Prevent SocketServer from being enabled in Log4j configuration

Remove or comment out SocketServer configuration in log4j.properties or log4j.xml
Ensure no SocketServer classes are instantiated in code

Network Access Control

linux

Block network access to SocketServer ports

iptables -A INPUT -p tcp --dport [SOCKETSERVER_PORT] -j DROP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" port protocol="tcp" port="[SOCKETSERVER_PORT]" reject'

🧯 If You Can't Patch

Disable SocketServer functionality completely in all configurations
Implement strict network segmentation and firewall rules to block all access to SocketServer ports

🔍 How to Verify

Check if Vulnerable:

Check if log4j-1.2.x.jar (x ≤ 17) exists in classpath and SocketServer is configured in log4j.properties/xml or instantiated in code.

Check Version:

find / -name "*log4j*.jar" -type f 2>/dev/null | xargs -I {} sh -c 'echo {}; unzip -p {} META-INF/MANIFEST.MF 2>/dev/null | grep "Implementation-Version"'

Verify Fix Applied:

Verify log4j-1.2.17.jar is present and SocketServer is disabled or removed from configuration.

📡 Detection & Monitoring

Log Indicators:

SocketServer startup logs
Unexpected Java deserialization errors
Suspicious network connections to Log4j ports

Network Indicators:

Traffic to unusual ports (default 4560) with serialized Java objects
Outbound connections from Log4j servers post-exploitation

SIEM Query:

source="*log4j*" AND ("SocketServer" OR "deserialization" OR "4560/tcp")

📊 Metadata

CVE ID: CVE-2019-17571

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: December 20, 2019

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Application Testing Suite by Oracle

Bookkeeper by Apache

Communications Network Integrity by Oracle

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Endeca Information Discovery Studio by Oracle

Financial Services Lending And Leasing by Oracle

Financial Services Lending And Leasing by Oracle

Leap by Opensuse

Log4j by Apache

Mysql Enterprise Monitor by Oracle

Oncommand System Manager by Netapp

Oncommand Workflow Automation by Netapp

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Rapid Planning by Oracle

Rapid Planning by Oracle

Retail Extract Transform And Load by Oracle

Retail Service Backbone by Oracle

Retail Service Backbone by Oracle

Retail Service Backbone by Oracle

Ubuntu Linux by Canonical

Weblogic Server by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable SocketServer

Network Access Control

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities