CVE-2017-5645 (High) detected in log4j-core-2.8.jar, log4j-core-2.7.jar

[mend-for-github-com]

CVE-2017-5645 - High Severity Vulnerability

Vulnerable Libraries - log4j-core-2.8.jar, log4j-core-2.7.jar

log4j-core-2.8.jar

The Apache Log4j Implementation

Path to dependency file: cloud-pipeline/billing-report-agent/build.gradle

Path to vulnerable library: canner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.8/2be463a710be42bb6b4831b980f0d270b98ff233/log4j-core-2.8.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.8/2be463a710be42bb6b4831b980f0d270b98ff233/log4j-core-2.8.jar

Dependency Hierarchy:

• ❌ log4j-core-2.8.jar (Vulnerable Library)

log4j-core-2.7.jar

The Apache Log4j Implementation

Path to dependency file: cloud-pipeline/jwt-generator/build.gradle

Path to vulnerable library: canner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.7/a3f2b4e64c61a7fc1ed8f1e5ba371933404ed98a/log4j-core-2.7.jar

Dependency Hierarchy:

• ❌ log4j-core-2.7.jar (Vulnerable Library)

Found in HEAD commit: 1db3170e0bd699acd5fec6e3fcebfa68fe86edcf

Found in base branch: develop

Vulnerability Details

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Publish Date: 2017-04-17

URL: CVE-2017-5645

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645

Release Date: 2017-04-17

Fix Resolution: 2.8.2