CVE-2019-17571: Critical severity IBM QRadar SIEM vulnerability

Published Dec 20, 2019
·
Updated

A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.

Other sources

Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization of untrusted data in SocketServer. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

IBM

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.

References:

https://logging.apache.org/log4j/1.2/ https://issues.apache.org/jira/browse/LOG4J2-1863 https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E

Red Hat

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions 1.2 up to 1.2.17.

Users are advised to migrate to org.apache.logging.log4j:log4j-core.

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Affected Software

49 affected componentsFixes available
maven/org.zenframework.z8.dependencies.commons:log4j-1.2.17=2.0
maven/log4j:log4j>=1.2<=1.2.17
debian/apache-log4j1.2<=1.2.17-5, <=1.2.17-7, <=1.2.17-8
1.2.17-91.2.17-8+deb10u11.2.17-7+deb9u1
redhat/log4j<0:1.2.14-6.7.el6_10
0:1.2.14-6.7.el6_10
redhat/log4j<0:1.2.17-16.el7_4
0:1.2.17-16.el7_4
redhat/log4j<0:1.2.14-19.patch_01.ep5.el5
0:1.2.14-19.patch_01.ep5.el5
redhat/log4j<0:1.2.14-19.patch_01.ep5.el6
0:1.2.14-19.patch_01.ep5.el6
redhat/jboss-ec2-eap<0:7.5.17-1.Final_redhat_4.ep6.el6
0:7.5.17-1.Final_redhat_4.ep6.el6
redhat/eap7-jboss-ec2-eap<0:7.0.8-1.GA_redhat_1.ep7.el6
0:7.0.8-1.GA_redhat_1.ep7.el6
redhat/eap7-jboss-ec2-eap<0:7.0.8-1.GA_redhat_1.ep7.el7
0:7.0.8-1.GA_redhat_1.ep7.el7
redhat/log4j-eap6<0:1.2.16-12.redhat_3.1.ep6.el6
0:1.2.16-12.redhat_3.1.ep6.el6
redhat/tomcat7<0:7.0.70-22.ep7.el6
0:7.0.70-22.ep7.el6
redhat/tomcat8<0:8.0.36-24.ep7.el6
0:8.0.36-24.ep7.el6
redhat/tomcat-native<0:1.2.8-10.redhat_10.ep7.el6
0:1.2.8-10.redhat_10.ep7.el6
redhat/log4j-eap6<0:1.2.16-12.redhat_3.1.ep6.el7
0:1.2.16-12.redhat_3.1.ep6.el7
redhat/tomcat7<0:7.0.70-22.ep7.el7
0:7.0.70-22.ep7.el7
redhat/tomcat8<0:8.0.36-24.ep7.el7
0:8.0.36-24.ep7.el7
redhat/tomcat-native<0:1.2.8-10.redhat_10.ep7.el7
0:1.2.8-10.redhat_10.ep7.el7
redhat/log4j<2.8.2
2.8.2
debian/apache-log4j1.2
1.2.17-10+deb11u11.2.17-11
IBM QRadar SIEM<=7.5 - 7.5.0 UP7
Apache Log4j<=1.2.17
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Canonical Ubuntu Linux=18.04
openSUSE Leap=15.1
NetApp OnCommand System Manager>=3.0<=3.1.3
NetApp OnCommand Workflow Automation
Oracle Application Testing Suite=13.3.0.1
Oracle Communications Network Integrity>=7.3.2<=7.3.6
Oracle Endeca Information Discovery Studio=3.2.0
Oracle Financial Services Lending And Leasing>=14.1.0<=14.8.0
Oracle Financial Services Lending And Leasing=12.5.0
Oracle MySQL Enterprise Monitor<=8.0.29
Oracle Primavera Gateway>=16.2<=16.2.11
Oracle Primavera Gateway>=17.12.0<=17.12.7
Oracle Rapid Planning=12.1
Oracle Rapid Planning=12.2
Oracle Retail Extract Transform And Load=19.0
Oracle Retail Service Backbone=14.1
Oracle Retail Service Backbone=15.0
Oracle Retail Service Backbone=16.0
Oracle WebLogic Server=10.3.6.0.0
Oracle WebLogic Server=12.1.3.0.0
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
Apache Bookkeeper<4.14.3

Remediation

Patch Available

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2022.html

Patch Available

https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/rb3c94619728c8f8c176d8e175e0a1086ca737ecdfcd5a2214bb768bc@%3Ccommits.bookkeeper.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/reaf6b996f74f12b4557bc221abe88f58270ac583942fa41293c61f94@%3Cpluto-scm.portals.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E

Information

Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this: log4j.appender.file.layout=org.apache.log4j.JsonLayout

Event History

Dec 20, 2019
CVE Published
12:00 AM
Data Sourced
via Red Hat·01:12 PM
DescriptionSeverityAffected Software
CVE Published
via MITRE·04:01 PM
Data Sourced
via MITRE·04:01 PM
DescriptionWeakness
Data Sourced
via NVD·05:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Jan 6, 2020
Advisory Published
06:43 PM
May 29, 2026
Data Sourced
via Ubuntu·06:54 PM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Launchpad·06:54 PM
Description

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2019-17571?

CVE-2019-17571 is a vulnerability in Log4j where a vulnerable SocketServer class may lead to the deserialization of untrusted data, allowing remote code execution.

2

What is the severity of CVE-2019-17571?

CVE-2019-17571 has a severity value of 9, which is considered critical.

3

How does CVE-2019-17571 affect Log4j?

CVE-2019-17571 affects Log4j versions up to 1.2, allowing for remote code execution.

4

What is the recommended remedy for CVE-2019-17571?

The recommended remedy for CVE-2019-17571 is to update Log4j to version 1.2.14-6.7.el6_10 or higher.

5

Where can I find more information about CVE-2019-17571?

You can find more information about CVE-2019-17571 at the following sources: [CVE](https://www.cve.org/CVERecord?id=CVE-2019-17571), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-17571), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1785616), [Red Hat Advisory](https://access.redhat.com/errata/RHSA-2022:5053).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203