Skip to end of metadata
Go to start of metadata

Reported Vulnerability

SocketServer class included in Log4j 1.2 is vulnerable to deserialization of untrusted data. This vulnerability can be exploited to remotely execute arbitrary code in combination with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions from 1.2 up to 1.2.17.

Reported Products

WSO2 API Manager

WSO2 Enterprise Integrator

WSO2 Identity Server

WSO2 Stream Processor

WSO2 Clarification

This vulnerability is exploitable only if Log4j SocketServer is used to accept network traffic for log data. WSO2 products do not use or WSO2 does not recommend using SocketServer functionality of Log4j. In addition, third-party dependencies used by WSO2 products do not use this functionality of Log4j. Therefore, this CVE does not affect the security aspect of WSO2 products.

CVE References


  • No labels