CVE-2019-17571¶
REPORTED VULNERABILITY¶
SocketServer class included in Log4j 1.2 is vulnerable to the deserialization of untrusted data. This vulnerability can be exploited to remotely execute arbitrary code in combination with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions from 1.2 up to 1.2.17.
REPORTED PRODUCTS¶
- WSO2 API Manager
- WSO2 Enterprise Integrator
- WSO2 Identity Server
- WSO2 Stream Processor
WSO2 JUSTIFICATION¶
This vulnerability is exploitable only if Log4j SocketServer is used to accept network traffic for log data. WSO2 products do not use or WSO2 does not recommend using the SocketServer functionality of Log4j. In addition, third-party dependencies used by WSO2 products do not use this functionality of Log4j. Therefore, this CVE does not affect the security aspect of WSO2 products.