Debian Linux Security Advisory 4686-1 - It was discovered that the SocketServer class included in apache-log4j1.2, a logging library for java, is vulnerable to deserialization of untrusted data. An attacker can take advantage of this flaw to execute arbitrary code in the context of the logger application by sending a specially crafted log event.
b7652cf3e1c98d44b0475cd461748855ac6cb1cda2d39aaf078852e016be5ce0