CVE-2017-5645

critical

Published 2017-04-17 · Modified 2024-03-14

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

Deserialization of Untrusted Data in Log4j

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-5645.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://issues.apache.org/jira/browse/LOG4J2-1863

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-5645

OS impact

OS	Version	Status	Fixed in
debian	sid	fixed	`2.7-2`
debian	trixie	fixed	`2.7-2`
debian	bookworm	fixed	`2.7-2`
debian	bullseye	fixed	`2.7-2`
debian	forky	fixed	`2.7-2`
sles		affected
rhel	6.0	affected
rhel	6.7	affected
rhel	7.0	affected
rhel	7.3	affected
rhel	7.4	affected
rhel	7.5	affected
rhel	7.6	affected

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.apache.logging.log4j:log4j	`>=2.0,<2.8.2`	`2.8.2`
Maven	org.apache.logging.log4j:log4j-core	`>=2.0,<2.8.2`	`2.8.2`

Application impact

Vendor	Product	Versions	Fixed
apache	log4j	`{"startIncluding":"2.0","endExcluding":"2.8.2"}`	`2.8.2`
netapp	oncommand_api_services	`-`
netapp	oncommand_insight	`-`
netapp	oncommand_workflow_automation	`-`
netapp	service_level_manager	`-`
netapp	snapcenter	`-`
netapp	storage_automation_store	`-`
redhat	fuse	`1.0`
oracle	api_gateway	`11.1.2.4.0`
oracle	application_testing_suite	`13.3.0.1`
oracle	autovue_vuelink_integration	`21.0.0`
oracle	autovue_vuelink_integration	`21.0.1`
oracle	banking_platform	`2.6.0`
oracle	banking_platform	`2.6.1`
oracle	banking_platform	`2.6.2`
oracle	bi_publisher	`11.1.1.7.0`
oracle	bi_publisher	`11.1.1.9.0`
oracle	bi_publisher	`12.2.1.3.0`
oracle	bi_publisher	`12.2.1.4.0`
oracle	communications_converged_application_server_-_service_controller	`6.1`
oracle	communications_instant_messaging_server	`10.0.1.3.0`
oracle	communications_interactive_session_recorder	`{"startIncluding":"6.0","endIncluding":"6.2"}`
oracle	communications_messaging_server	`{"endExcluding":"8.0.2"}`	`8.0.2`
oracle	communications_network_integrity	`{"startIncluding":"7.3.2","endIncluding":"7.3.6"}`
oracle	communications_online_mediation_controller	`6.1`
oracle	communications_pricing_design_center	`11.1`
oracle	communications_pricing_design_center	`12.0`
oracle	communications_service_broker	`6.0`
oracle	communications_webrtc_session_controller	`{"endExcluding":"7.2"}`	`7.2`
oracle	configuration_manager	`12.1.2.0.2`
oracle	configuration_manager	`12.1.2.0.5`
oracle	endeca_information_discovery_studio	`3.2.0`
oracle	enterprise_data_quality	`12.2.1.3.0`
oracle	enterprise_manager_base_platform	`12.1.0.5`
oracle	enterprise_manager_base_platform	`13.2.0.0`
oracle	enterprise_manager_for_fusion_middleware	`12.1.0.5`
oracle	enterprise_manager_for_fusion_middleware	`13.2.0.0`
oracle	enterprise_manager_for_mysql_database	`{"endIncluding":"13.2.2.0.0"}`
oracle	enterprise_manager_for_oracle_database	`12.1.0.8`
oracle	enterprise_manager_for_oracle_database	`13.2.2`
oracle	enterprise_manager_for_peoplesoft	`13.1.1.1`
oracle	enterprise_manager_for_peoplesoft	`13.2.1.1`
oracle	retail_extract_transform_and_load	`13.2`
oracle	financial_services_analytical_applications_infrastructure	`{"startIncluding":"7.3.3.0.0","endIncluding":"7.3.3.0.2"}`
oracle	financial_services_behavior_detection_platform	`{"startIncluding":"8.0.0.0.0","endIncluding":"8.0.4.0.0"}`
oracle	financial_services_behavior_detection_platform	`6.1.1`
oracle	financial_services_hedge_management_and_ifrs_valuations	`8.0.4`
oracle	financial_services_hedge_management_and_ifrs_valuations	`8.0.5`
oracle	financial_services_lending_and_leasing	`{"startIncluding":"14.1.0","endIncluding":"14.8.0"}`
oracle	financial_services_lending_and_leasing	`12.5.0`
oracle	financial_services_loan_loss_forecasting_and_provisioning	`8.0.4`
oracle	financial_services_loan_loss_forecasting_and_provisioning	`8.0.5`
oracle	financial_services_profitability_management	`{"startIncluding":"8.0.0.0.0","endIncluding":"8.0.7.0.0"}`
oracle	financial_services_profitability_management	`6.1.1`
oracle	financial_services_regulatory_reporting_with_agilereporter	`8.0.9.2.0`
oracle	flexcube_investor_servicing	`12.0.4`
oracle	flexcube_investor_servicing	`12.1.0`
oracle	flexcube_investor_servicing	`12.3.0`
oracle	flexcube_investor_servicing	`12.4.0`
oracle	flexcube_investor_servicing	`14.0.0`
oracle	fusion_middleware_mapviewer	`12.2.1.2`
oracle	fusion_middleware_mapviewer	`12.2.1.3`
oracle	goldengate	`12.3.2.1.1`
oracle	goldengate_application_adapters	`12.3.2.1.1`
oracle	identity_analytics	`11.1.1.5.8`
oracle	identity_management_suite	`11.1.2.3.0`
oracle	identity_management_suite	`12.2.1.3.0`
oracle	identity_manager_connector	`9.0`
oracle	in-memory_performance-driven_planning	`12.1`
oracle	in-memory_performance-driven_planning	`12.2`
oracle	instantis_enterprisetrack	`{"startIncluding":"17.1","endIncluding":"17.3"}`
oracle	insurance_calculation_engine	`10.1.1`
oracle	insurance_calculation_engine	`10.2.1`
oracle	insurance_policy_administration	`10.0`
oracle	insurance_policy_administration	`10.1`
oracle	insurance_policy_administration	`10.2`
oracle	insurance_policy_administration	`11.0`
oracle	insurance_rules_palette	`10.0`
oracle	insurance_rules_palette	`10.1`
oracle	insurance_rules_palette	`10.2`
oracle	insurance_rules_palette	`11.0`
oracle	insurance_rules_palette	`11.1`
oracle	jd_edwards_enterpriseone_tools	`4.0.1.0`
oracle	jd_edwards_enterpriseone_tools	`9.2`
oracle	jdeveloper	`11.1.1.9.0`
oracle	jdeveloper	`12.1.3.0.0`
oracle	jdeveloper	`12.2.1.3.0`
oracle	mysql_enterprise_monitor	`{"startIncluding":"3.4.0.0","endIncluding":"3.4.7.4297"}`
oracle	peoplesoft_enterprise_fin_install	`9.2`
oracle	policy_automation	`10.4.7`
oracle	policy_automation	`12.1.0`
oracle	policy_automation	`12.1.1`
oracle	policy_automation	`12.2.0`
oracle	policy_automation	`12.2.1`
oracle	policy_automation	`12.2.2`
oracle	policy_automation	`12.2.3`
oracle	policy_automation	`12.2.4`
oracle	policy_automation	`12.2.5`
oracle	policy_automation	`12.2.6`
oracle	policy_automation	`12.2.7`
oracle	policy_automation	`12.2.8`
oracle	policy_automation	`12.2.9`
oracle	policy_automation	`12.2.10`
oracle	policy_automation_connector_for_siebel	`10.4.6`
oracle	policy_automation_for_mobile_devices	`10.4.7`
oracle	policy_automation_for_mobile_devices	`12.1.0`
oracle	policy_automation_for_mobile_devices	`12.1.1`
oracle	policy_automation_for_mobile_devices	`12.2.0`
oracle	policy_automation_for_mobile_devices	`12.2.1`
oracle	policy_automation_for_mobile_devices	`12.2.2`
oracle	policy_automation_for_mobile_devices	`12.2.3`
oracle	policy_automation_for_mobile_devices	`12.2.4`
oracle	policy_automation_for_mobile_devices	`12.2.5`
oracle	policy_automation_for_mobile_devices	`12.2.6`
oracle	policy_automation_for_mobile_devices	`12.2.7`
oracle	policy_automation_for_mobile_devices	`12.2.8`
oracle	policy_automation_for_mobile_devices	`12.2.9`
oracle	policy_automation_for_mobile_devices	`12.2.10`
oracle	primavera_gateway	`{"startIncluding":"16.2.0","endIncluding":"16.2.11"}`
oracle	rapid_planning	`12.1`
oracle	rapid_planning	`12.2`
oracle	retail_advanced_inventory_planning	`14.0`
oracle	retail_advanced_inventory_planning	`15.0`
oracle	retail_clearance_optimization_engine	`14.0.5`
oracle	retail_extract_transform_and_load	`13.0`
oracle	retail_extract_transform_and_load	`13.1`
oracle	retail_extract_transform_and_load	`19.0`
oracle	retail_integration_bus	`14.0.0`
oracle	retail_integration_bus	`14.1.0`
oracle	retail_integration_bus	`15.0`
oracle	retail_integration_bus	`16.0`
oracle	retail_open_commerce_platform	`5.3.0`
oracle	retail_open_commerce_platform	`6.0.0`
oracle	retail_open_commerce_platform	`6.0.1`
oracle	retail_predictive_application_server	`15.0.3`
oracle	retail_service_backbone	`14.1`
oracle	retail_service_backbone	`15.0`
oracle	retail_service_backbone	`16.0`
oracle	siebel_ui_framework	`18.7`
oracle	siebel_ui_framework	`18.8`
oracle	siebel_ui_framework	`18.9`
oracle	soa_suite	`12.1.3.0.0`
oracle	soa_suite	`12.2.1.3.0`
oracle	soa_suite	`12.2.2.0.0`
oracle	tape_library_acsls	`8.4`
oracle	timesten_in-memory_database	`11.2.2.8.49`
oracle	utilities_advanced_spatial_and_operational_analytics	`2.7.0.1`
oracle	utilities_work_and_asset_management	`1.9.1.2.12`
oracle	weblogic_server	`10.3.6.0.0`
oracle	weblogic_server	`12.1.3.0.0`
oracle	weblogic_server	`12.2.1.3.0`
oracle	weblogic_server	`12.2.1.4.0`
oracle	weblogic_server	`14.1.1.0.0`

References

CWEs

CWE-502

Verify integrity in audit chain (admin only). AS-IS.