CVE-2022-23305 · threatengine.sh

Home/CVE/By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be

CVE

CVE-2022-23305

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015.

Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CRITICAL · CVSS 9.8 EPSS 0.09452

Schedule remediation

EPSS percentile: top 7% of all CVEs by exploitation likelihood
CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

▤

Affected Products & Versions

30

apache log4j>= 1.2 and <= 1.2.17
netapp snapmanagerall versions
broadcom brocade sannavall versions
qos reload4j< 1.2.18.2
oracle advanced supply chain planningall versions
oracle business intelligenceall versions
oracle business process management suiteall versions
oracle communications eagle ftp table base retrievalall versions
Show all 30 affected productsoracle communications instant messaging serverall versions
oracle communications messaging serverall versions
oracle communications network integrityall versions
oracle communications offline mediation controller< 12.0.0.4.4
oracle communications offline mediation controllerall versions
oracle communications unified inventory managementall versions
oracle e-business suite cloud manager and cloud backup module< 2.2.1.1.1
oracle e-business suite cloud manager and cloud backup moduleall versions
oracle e-business suite information discovery>= 12.2.3 and <= 12.2.11
oracle enterprise manager base platformall versions
oracle financial services revenue management and billing analyticsall versions
oracle healthcare foundationall versions
oracle hyperion data relationship management< 11.2.8.0
oracle hyperion infrastructure technology< 11.2.8.0
oracle identity management suiteall versions
oracle identity manager connectorall versions
oracle jdeveloperall versions
oracle middleware common libraries and toolsall versions
oracle mysql enterprise monitor<= 8.0.29
oracle retail extract transform and loadall versions
oracle tuxedoall versions
oracle weblogic serverall versions

▤

Affected Packages

2

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

Maven log4j:log4j CRITICAL

Maven org.zenframework.z8.dependencies.commons:log4j-1.2.17 CRITICAL

▣

Scoring & Timeline

9.8

CRITICAL · CVSS v3.1 · security@apache.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD18 Jan 2022 · 04:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

⚑

Vendor Advisories

30

usnUSN-7590-1
rhsaRHSA-2024:10207Critical
suse-csafopenSUSE-SU-2024:11759-1
usnUSN-5998-1
suse-csafopenSUSE-SU-2022:0038-1
Show all 30 vendor advisoriessuse-csafSUSE-SU-2022:0354-1
suse-csafSUSE-SU-2022:0355-1
rhsaRHSA-2022:0448Important
rhsaRHSA-2022:0447Important
suse-csafopenSUSE-SU-2022:0226-1
suse-csafSUSE-SU-2022:0226-1
suse-csafopenSUSE-SU-2022:0214-1
suse-csafSUSE-SU-2022:0212-1
suse-csafSUSE-SU-2022:0214-1
suse-csafSUSE-SU-2022:14881-1
rhsaRHSA-2022:0507Moderate
rhsaRHSA-2022:0527Moderate
rhsaRHSA-2022:0449Moderate
rhsaRHSA-2022:0469Moderate
rhsaRHSA-2022:0524Moderate
rhsaRHSA-2022:0446Moderate
rhsaRHSA-2022:0467Moderate
rhsaRHSA-2022:0445Moderate
rhsaRHSA-2022:0444Moderate
rhsaRHSA-2022:0289Moderate
rhsaRHSA-2022:5460Moderate
rhsaRHSA-2022:0442Moderate
rhsaRHSA-2022:0661Moderate
rhsaRHSA-2022:1299Moderate
rhsaRHSA-2022:1297Moderate

🔗

References & Sources

6

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://www.openwall.com/lists/oss-security/2022/01/18/4Mailing ListThird Party Advisory

https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85yIssue TrackingMailing ListVendor Advisory

https://logging.apache.org/log4j/1.2/index.htmlVendor Advisory

https://security.netapp.com/advisory/ntap-20220217-0007/Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin