By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2019-17571

Code Injection
Affects
Apache Log4j
in
Apache Log4j
No items found.
Versions
>= 1.2, <= 1.2.17
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Apache Log4j is a Java-based logging framework that provides flexible logging capabilities for enterprise applications. Its plugin architecture and configuration options made it a popular choice for JVM-based systems for many years, particularly before the introduction of Log4j 2.x.

A remote code execution vulnerability (CVE-2019-17571) has been identified in Apache Log4j 1.x, specifically within the SocketServer component. When the Log4j 1.x SocketServer is enabled, the server listens for serialized log events transmitted over a socket. Due to insecure deserialization, attackers may send crafted serialized objects that trigger arbitrary code execution on the target system.

Per OWASP: Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation.

This issue affects all Log4j 1.2 versions and is considered a critical security risk.

Details

Module Info

Vulnerability Info

This critical vulnerability is caused by insecure deserialization of untrusted data received by the Log4j 1.x SocketServer. An attacker can transmit a malicious serialized payload that executes arbitrary code when processed by the server. Since Log4j 1.x has reached end-of-life, the Apache Software Foundation does not provide patches for this issue.

Mitigation

Apache Log4j 1.x has been end-of-life since 2015 and no longer receives community updates. Users of the affected component should apply one of the following mitigations:

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Log4j
  • Leverage a commercial support partner like HeroDevs for post-EOL security support
  • Remove or disable use of SocketServer within Log4j 1.x  
  • Upgrade applications to supported versions such as Log4j 2.x 

Pink arrow
Pink arrow
CVE-2022-23307
CVE-2021-4104
CVE-2020-9488
CVE-2022-23305
CVE-2020-9493
CVE-2022-23302
CVE-2019-17571
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2019-17571
PROJECT Affected
Apache Log4j
Versions Affected
>= 1.2, <= 1.2.17
NES Versions Affected
Published date
January 7, 2026
≈ Fix date
December 10, 2025
Fixed in
NES for Apache Log4j
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Critical
Category
Code Injection
Sign up for the latest vulnerability alerts fixed in
NES for Apache Log4j
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.