Apache : Security Vulnerabilities, CVEs, Published In April 2017 (Code Execution)
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Max CVSS
9.8
EPSS Score
81.95%
Published
2017-04-17
Updated
2022-04-04
CVE-2016-8735
Known exploited
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Max CVSS
9.8
EPSS Score
25.12%
Published
2017-04-06
Updated
2023-12-08
CISA KEV Added
2023-05-12
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.
Max CVSS
9.8
EPSS Score
4.75%
Published
2017-04-11
Updated
2018-10-09
3 vulnerabilities found