Have you heard CVE-20170-5645? Oracle critical patch update advisory – July 2018.

Background

Java programming language sometimes look like a accomplice. The Java Sandbox, which attempts to enforce a privilege model that permits safe execution of untrusted code, and is most famously used to permit the automatic execution of Java Applets in a browser.

Vulnerability details

Apache Log4j is a Java-based logging utility. Log4j is one of several Java logging frameworks. A design flaw found on Oracle products, Log4j has possibility then let vulnerabilities remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Sample of using the Log4j Library

public class Jangles {

private static Log log = LogFactory.getLog(Jangles.class);
Public static void main(String[] args){
log.info("This is a testing message.");
if(log.isDebugEnabled()){
log.debug("This is a testing message.");
}
}
}

Above sample will enable Log4j to control the output of other libraries which use Apache Commons Logging like the Java Caching System.

So, do you think this is the root causes hits the vulnerability?

Perhaps this vulnerability reference number go back 2017. However Oracle Critical Patch Update Advisory on July 2018 still has status update of this vulnerability. If you are the Oracle product user, you must stay alert. You should stay alert!

Vulnerability detail:

This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Official announcement hyperlink shown as below:

Affected Products version and vulnerability details :