CVE-2023-26464

Aliases:GHSA-vp98-w2p3-mv35

Advisory lineage Upstream: 0 Downstream: 7

Downstream

RHSA-2023:3663 RHSA-2023:5484 RHSA-2023:5485 RHSA-2023:5486 RHSA-2024:10207 RHSA-2024:10208

Modified

Published: 10 Mar 2023, 13:38

Last modified:13 Feb 2025, 16:44

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.13% LOW

0% probability +0.01%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

10 Mar 2023, 13:38

Published

Vulnerability first disclosed

13 Feb 2025, 16:44

Last Modified

Vulnerability information updated

Description

** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.13%• Percentile: 31%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

apache software foundation•apache log4j
≥ 1.0.4, < 2
apache•log4j
≥ 1.0.4, < 2.0
log4j•log4j
≥ 1.0.4, < 2.0
org.apache.logging.log4j•log4j-core
≥ 1.0.4, < 2.0