My understanding is that CVE-2019-17571 only impact socket/JMS appender.
"Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data."
Regards JB On 13/12/2021 10:56, Vilius Šumskas wrote:
Hi, log4j 1.2 series are vulnerable to CVE-2019-17571 which has a CVSS score of 9.8. This needs to be addressed too.
