CVE-2022-23302

Description

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS Metrics

• v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 6AV:N/AC:M/Au:S/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.78%• Percentile: 74%

Techniques & Countermeasures

• CWE-502•Deserialization of Untrusted Data

  The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

• apache software foundation•apache log4j 1.x

  ≥ 1.0.1, < unspecified | ≥ unspecified, < 2.0-alpha1

• apache•log4j

  ≥ 1.0.1, ≤ 1.2.17

• broadcom•brocade_sannav

  na

• log4j•log4j

  ≤ 1.2.17

• org.zenframework.z8.dependencies.commons•log4j-1.2.17

  ≤ 2.0

• netapp•snapmanager

  na

• oracle•advanced_supply_chain_planning

  12.1 | 12.2

• oracle•business_intelligence

  5.9.0.0.0 | 12.2.1.3.0 | 12.2.1.4.0

• oracle•business_process_management_suite

  12.2.1.3.0 | 12.2.1.4.0

• oracle•communications_eagle_ftp_table_base_retrieval

  4.5

• oracle•communications_instant_messaging_server

  10.0.1.5.0

• oracle•communications_messaging_server

  8.1

• oracle•communications_network_integrity

  7.3.6

• oracle•communications_offline_mediation_controller

  < 12.0.0.4.4 | 12.0.0.5.0

• oracle•communications_unified_inventory_management

  7.4.1 | 7.4.2

• oracle•e-business_suite_cloud_manager_and_cloud_backup_module

  < 2.2.1.1.1 | 2.2.1.1.1

• oracle•enterprise_manager_base_platform

  13.4.0.0 | 13.5.0.0

• oracle•financial_services_revenue_management_and_billing_analytics

  2.7.0.0 | 2.7.0.1 | 2.8.0.0

• oracle•healthcare_foundation

  8.1.0

• oracle•hyperion_data_relationship_management

  < 11.2.8.0

• oracle•hyperion_infrastructure_technology

  < 11.2.8.0

• oracle•identity_management_suite

  12.2.1.3.0 | 12.2.1.4.0

• oracle•identity_manager_connector

  11.1.1.5.0

• oracle•jdeveloper

  12.2.1.3.0

• oracle•middleware_common_libraries_and_tools

  12.2.1.4.0

• oracle•mysql_enterprise_monitor

  ≤ 8.0.29

• oracle•tuxedo

  12.2.2.0.0

• Unknown•WebLogic Server

  12.2.1.3.0 | 12.2.1.4.0 | 14.1.1.0.0

• qos•reload4j

  < 1.2.18.1

References (11)

• https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w
• https://logging.apache.org/log4j/1.2/index.html
• http://www.openwall.com/lists/oss-security/2022/01/18/3
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://security.netapp.com/advisory/ntap-20220217-0006/
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.vicarius.io/vsociety/posts/cve-2022-23302-detect-log4j-1217-vulnerability
• https://www.vicarius.io/vsociety/posts/cve-2022-23302-mitigate-log4j-1217-vulnerability
• https://nvd.nist.gov/vuln/detail/CVE-2022-23302
• https://github.com/apache/logging-log4j1
• https://security.netapp.com/advisory/ntap-20220217-0006