CVE-2022-23302
Deserialization of untrusted data in JMSSink in Apache Log4j 1.x
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
JMSSink en todas las versiones de Log4j 1.x, es vulnerable a una deserialización de datos no confiables cuando el atacante presenta acceso de escritura a la configuración de Log4j o si la configuración hace referencia a un servicio LDAP al que el atacante presenta acceso. El atacante puede proporcionar una configuración TopicConnectionFactoryBindingName causando que JMSSink lleve a cabo peticiones JNDI que resulten en la ejecución de código remota de forma similar a CVE-2021-4104. Tenga en cuenta que este problema sólo afecta a Log4j versiones 1.x cuando es configurado específicamente para usar JMSSink, que no es el predeterminado. Apache Log4j versión 1.2 llegó al final de su vida útil en agosto de 2015. Los usuarios deberían actualizar a Log4j 2 ya que aborda otros numerosos problemas de las versiones anteriores
A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.
*Credits:
Eduardo' Vela, Maksim Shudrak and Jacob Butler from Google.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-01-16 CVE Reserved
- 2022-01-18 CVE Published
- 2024-05-09 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2022/01/18/3 | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20220217-0006 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-02-24 | |
| https://www.oracle.com/security-alerts/cpujul2022.html | 2023-02-24 |
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w | 2023-02-24 | |
| https://logging.apache.org/log4j/1.2/index.html | 2023-02-24 | |
| https://access.redhat.com/security/cve/CVE-2022-23302 | 2024-08-26 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2041949 | 2024-08-26 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | >= 1.0.1 <= 1.2.17 Search vendor "Apache" for product "Log4j" and version " >= 1.0.1 <= 1.2.17" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapmanager Search vendor "Netapp" for product "Snapmanager" | - | oracle |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapmanager Search vendor "Netapp" for product "Snapmanager" | - | sap |
Affected
| ||||||
| Broadcom Search vendor "Broadcom" | Brocade Sannav Search vendor "Broadcom" for product "Brocade Sannav" | - | - |
Affected
| ||||||
| Qos Search vendor "Qos" | Reload4j Search vendor "Qos" for product "Reload4j" | < 1.2.18.1 Search vendor "Qos" for product "Reload4j" and version " < 1.2.18.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning" | 12.1 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning" | 12.2 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Intelligence Search vendor "Oracle" for product "Business Intelligence" | 5.9.0.0.0 Search vendor "Oracle" for product "Business Intelligence" and version "5.9.0.0.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Intelligence Search vendor "Oracle" for product "Business Intelligence" | 12.2.1.3.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Intelligence Search vendor "Oracle" for product "Business Intelligence" | 12.2.1.4.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.2.1.3.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.2.1.4.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Eagle Ftp Table Base Retrieval Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval" | 4.5 Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval" and version "4.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server" | 10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server" | 8.1 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity" | 7.3.6 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | < 12.0.0.4.4 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version " < 12.0.0.4.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | 12.0.0.5.0 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.2 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | E-business Suite Cloud Manager And Cloud Backup Module Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" | < 2.2.1.1.1 Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version " < 2.2.1.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | E-business Suite Cloud Manager And Cloud Backup Module Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" | 2.2.1.1.1 Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version "2.2.1.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform" | 13.4.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.4.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform" | 13.5.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.5.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.7.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.7.0.1 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.8.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.8.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Healthcare Foundation Search vendor "Oracle" for product "Healthcare Foundation" | 8.1.0 Search vendor "Oracle" for product "Healthcare Foundation" and version "8.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hyperion Data Relationship Management Search vendor "Oracle" for product "Hyperion Data Relationship Management" | < 11.2.8.0 Search vendor "Oracle" for product "Hyperion Data Relationship Management" and version " < 11.2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hyperion Infrastructure Technology Search vendor "Oracle" for product "Hyperion Infrastructure Technology" | < 11.2.8.0 Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version " < 11.2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite" | 12.2.1.3.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite" | 12.2.1.4.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Identity Manager Connector Search vendor "Oracle" for product "Identity Manager Connector" | 11.1.1.5.0 Search vendor "Oracle" for product "Identity Manager Connector" and version "11.1.1.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdeveloper Search vendor "Oracle" for product "Jdeveloper" | 12.2.1.3.0 Search vendor "Oracle" for product "Jdeveloper" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Middleware Common Libraries And Tools Search vendor "Oracle" for product "Middleware Common Libraries And Tools" | 12.2.1.4.0 Search vendor "Oracle" for product "Middleware Common Libraries And Tools" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor" | <= 8.0.29 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.29" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Tuxedo Search vendor "Oracle" for product "Tuxedo" | 12.2.2.0.0 Search vendor "Oracle" for product "Tuxedo" and version "12.2.2.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0" | - |
Affected
| ||||||