Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CVE-2019-17571
Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2020-01-06. NVD baseline CVSS 9.8; sources differ by 0.0.
- High exploitation likelihood — EPSS 69%
A fix is available — apply it.
- CVSS v3
- 9.8
- EG Score
- 9.8(medium)
- EPSS
- 99.3%
- KEV
- Not listed
Published
December 20, 2019
Last Modified
May 28, 2026
Advisory Details (9)
Auto-updated Jun 20, 2026Vendor Advisories for CVE-2019-17571(9)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2022:5053Red Hat Product SecurityHigh
Red Hat Security Advisory: log4j security update
- RHSA-2022:0507Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP2 security update
- RHSA-2022:0497Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP1 security update
- GHSA-2qrg-x229-3v8qGitHub Security AdvisoriesCritical
Deserialization of Untrusted Data in Log4j
- RHSA-2017:3244Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1.1 security update
- RHSA-2017:2811Red Hat Product SecurityHigh
Red Hat Security Advisory: eap7-jboss-ec2-eap security update
- RHSA-2017:2810Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
- RHSA-2017:1802Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Web Server Service Pack 1 security update
- +1 more
Patch Availability(20)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | liblog4j1.2-java-doc (1.2.17-8+deb10u1build0.18.04.1) @ bionic | 2026-05-27 | ubuntu |
| ubuntu | liblog4j1.2-java (1.2.17-8+deb10u1ubuntu0.2) @ bionic | 2026-05-27 | ubuntu |
| redhat | log4j-0:1.2.14-6.7.el6_10 | 2022-06-15 | redhat |
| redhat | patch | 2022-02-10 | redhat |
| redhat | patch | 2022-02-09 | redhat |
| redhat | patch | 2019-06-18 | redhat |
| redhat | patch | 2017-12-07 | redhat |
| redhat | log4j-0:1.2.14-19.patch_01.ep5.el6 | 2017-12-07 | redhat |
| redhat | patch | 2017-11-16 | redhat |
| redhat | patch | 2017-10-12 | redhat |
| redhat | patch | 2017-10-12 | redhat |
| redhat | patch | 2017-09-26 | redhat |
| redhat | eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7 | 2017-09-26 | redhat |
| redhat | jboss-ec2-eap-0:7.5.17-1.Final_redhat_4.ep6.el6 | 2017-09-05 | redhat |
| redhat | patch | 2017-09-05 | redhat |
| redhat | log4j-0:1.2.17-16.el7_4 | 2017-08-07 | redhat |
| redhat | tomcat-native-0:1.2.8-10.redhat_10.ep7.el7 | 2017-07-25 | redhat |
| redhat | patch | 2017-07-25 | redhat |
| maven | log4j:log4j | — | ghsa |
| maven | org.zenframework.z8.dependencies.commons:log4j-1.2.17 | — | ghsa |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(2 across 1 ecosystem)
Maven(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| log4j:log4j | 1.2.11 ... 1.2.9 (13 versions) | — | — |
| org.zenframework.z8.dependencies.commons:log4j-1.2.17 | 2.0 | — | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(10)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2017:2423IMPORTANT2019-12-20
RHSA-2017:2423 — Important
- Red HatRHSA-2017:2633IMPORTANT2019-12-20
RHSA-2017:2633 — Important
- Red HatRHSA-2017:2638IMPORTANT2019-12-20
RHSA-2017:2638 — Important
- Red HatRHSA-2017:2888IMPORTANT2019-12-20
RHSA-2017:2888 — Important
- Red HatRHSA-2017:2889IMPORTANT2019-12-20
RHSA-2017:2889 — Important
- Red HatRHSA-2017:3399IMPORTANT2019-12-20
RHSA-2017:3399 — Important
- Red HatRHSA-2017:3400IMPORTANT2019-12-20
RHSA-2017:3400 — Important
- Red HatRHSA-2019:1545IMPORTANT2019-12-20
RHSA-2019:1545 — Important
- UbuntuUSN-4495-1MEDIUM
Apache Log4j vulnerability
- UbuntuUSN-5998-1MEDIUM
Apache Log4j vulnerabilities
Data Freshness Timeline
(refreshed 3× in last 7d / 25× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-09 19:06 UTCEPSS rescore
- 2026-07-08 15:11 UTCEPSS rescore
- 2026-07-07 13:43 UTCEPSS rescore
- 2026-07-04 06:28 UTCEPSS rescore
- 2026-07-02 14:00 UTCOSV refresh
- 2026-07-01 15:03 UTCEPSS rescore
- 2026-07-01 15:03 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-22 14:23 UTCEPSS rescore
- 2026-06-18 17:50 UTCEPSS rescore
- 2026-06-17 17:50 UTCEPSS rescore
- 2026-06-16 17:50 UTCEPSS rescore
- 2026-06-15 17:45 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-14 12:13 UTCOSV refresh
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-12 23:09 UTCEPSS rescore
Show 27 moreShow fewer
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:19 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-27 10:01 UTCEG score recompute
- 2026-05-27 10:01 UTCVendor advisory
- 2026-05-27 10:01 UTCGHSA enrichment
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-25 06:37 UTCOSV refresh
Publicly available exploits
(2 references)Working exploit code is in the public domain (2 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCHynekPetrak/log4shell-finderFirst seen Dec 14, 2021
Fastest filesystem scanner for log4shell (CVE-2021-44228, CVE-2021-45046) and other vulnerable (CVE-2017-5645, CVE-2019-17571, CVE-2022-23305, CVE-2022-23307 ... ) instances of log4j library. Excellent performance and low memory footprint.
Open source ↗ - GitHub PoCshadow-horse/CVE-2019-17571First seen Dec 25, 2019
Apache Log4j 1.2.X存在反序列化远程代码执行漏洞
Open source ↗
Related CVEs(same product + same vendor + same CWE)
Same product
4 shownmaven:log4j:log4j
Same vendor
10 shownredhat
Same CWE
10 shownCWE-502
- CVE-2017-20208EG 9.8CRITICAL
- CVE-2017-20207EG 9.8CRITICAL
- CVE-2017-20206EG 9.8CRITICAL
- CVE-2017-20189EG 9.8CRITICAL
- CVE-2017-10992EG 9.8EPSS 95%CRITICAL
- CVE-2013-4521EG 9.8EPSS 90%CRITICAL
- CVE-2014-1860EG 9.8CRITICAL
- CVE-2016-1000027EG 9.8EPSS 98%CRITICAL
- CVE-2014-3699EG 9.8CRITICAL
- CVE-2017-18605EG 9.8CRITICAL
Frequently asked(5)
What is CVE-2019-17571?
When was CVE-2019-17571 disclosed?
Is CVE-2019-17571 actively exploited?
What is the CVSS score of CVE-2019-17571?
How do I remediate CVE-2019-17571?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2019-17571
Is Your Infrastructure Affected by CVE-2019-17571?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.