CVE-2022-23305
SQL injection in JDBC Appender in Apache Log4j V1
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Por diseño, el JDBCAppender en Log4j versiones 1.2.x, acepta una sentencia SQL como parámetro de configuración donde los valores a insertar son convertidores de PatternLayout. Es probable que el convertidor de mensajes, %m, sea incluido siempre. Esto permite a atacantes manipular el SQL introduciendo cadenas diseñadas en los campos de entrada o en los encabezados de una aplicación que son registradas permitiendo una ejecución de consultas SQL no deseadas. Tenga en cuenta que este problema sólo afecta a Log4j versiones 1.x cuando es configurado específicamente para usar el JDBCAppender, que no es el predeterminado. A partir de la versión 2.0-beta8, fue reintroducido el JDBCAppender con soporte apropiado para consultas SQL parametrizadas y mayor personalización sobre las columnas escritas en los registros. Apache Log4j versiones 1.2 llegó al final de su vida útil en agosto de 2015. Los usuarios deberían actualizar a Log4j 2, ya que aborda numerosos problemas de las versiones anteriores
A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.
*Credits:
Daniel Martin of NCC Group
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-01-17 CVE Reserved
- 2022-01-18 CVE Published
- 2024-08-03 CVE Updated
- 2024-10-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2022/01/18/4 | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20220217-0007 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-02-24 | |
| https://www.oracle.com/security-alerts/cpujul2022.html | 2023-02-24 |
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y | 2023-02-24 | |
| https://logging.apache.org/log4j/1.2/index.html | 2023-02-24 | |
| https://access.redhat.com/security/cve/CVE-2022-23305 | 2024-08-26 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2041959 | 2024-08-26 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | >= 1.2 <= 1.2.17 Search vendor "Apache" for product "Log4j" and version " >= 1.2 <= 1.2.17" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapmanager Search vendor "Netapp" for product "Snapmanager" | - | oracle |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapmanager Search vendor "Netapp" for product "Snapmanager" | - | sap |
Affected
| ||||||
| Broadcom Search vendor "Broadcom" | Brocade Sannav Search vendor "Broadcom" for product "Brocade Sannav" | - | - |
Affected
| ||||||
| Qos Search vendor "Qos" | Reload4j Search vendor "Qos" for product "Reload4j" | < 1.2.18.2 Search vendor "Qos" for product "Reload4j" and version " < 1.2.18.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning" | 12.1 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning" | 12.2 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Intelligence Search vendor "Oracle" for product "Business Intelligence" | 5.9.0.0.0 Search vendor "Oracle" for product "Business Intelligence" and version "5.9.0.0.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Intelligence Search vendor "Oracle" for product "Business Intelligence" | 12.2.1.3.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Intelligence Search vendor "Oracle" for product "Business Intelligence" | 12.2.1.4.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.2.1.3.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.2.1.4.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Eagle Ftp Table Base Retrieval Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval" | 4.5 Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval" and version "4.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server" | 10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server" | 8.1 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity" | 7.3.6 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | < 12.0.0.4.4 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version " < 12.0.0.4.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | 12.0.0.5.0 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.2 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | E-business Suite Cloud Manager And Cloud Backup Module Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" | < 2.2.1.1.1 Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version " < 2.2.1.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | E-business Suite Cloud Manager And Cloud Backup Module Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" | 2.2.1.1.1 Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version "2.2.1.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | E-business Suite Information Discovery Search vendor "Oracle" for product "E-business Suite Information Discovery" | >= 12.2.3 <= 12.2.11 Search vendor "Oracle" for product "E-business Suite Information Discovery" and version " >= 12.2.3 <= 12.2.11" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform" | 13.4.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.4.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform" | 13.5.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.5.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.7.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.7.0.1 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.8.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.8.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Healthcare Foundation Search vendor "Oracle" for product "Healthcare Foundation" | 8.1.0 Search vendor "Oracle" for product "Healthcare Foundation" and version "8.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hyperion Data Relationship Management Search vendor "Oracle" for product "Hyperion Data Relationship Management" | < 11.2.8.0 Search vendor "Oracle" for product "Hyperion Data Relationship Management" and version " < 11.2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hyperion Infrastructure Technology Search vendor "Oracle" for product "Hyperion Infrastructure Technology" | < 11.2.8.0 Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version " < 11.2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite" | 12.2.1.3.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite" | 12.2.1.4.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Identity Manager Connector Search vendor "Oracle" for product "Identity Manager Connector" | 11.1.1.5.0 Search vendor "Oracle" for product "Identity Manager Connector" and version "11.1.1.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdeveloper Search vendor "Oracle" for product "Jdeveloper" | 12.2.1.3.0 Search vendor "Oracle" for product "Jdeveloper" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Middleware Common Libraries And Tools Search vendor "Oracle" for product "Middleware Common Libraries And Tools" | 12.2.1.4.0 Search vendor "Oracle" for product "Middleware Common Libraries And Tools" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor" | <= 8.0.29 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.29" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Extract Transform And Load Search vendor "Oracle" for product "Retail Extract Transform And Load" | 13.2.5 Search vendor "Oracle" for product "Retail Extract Transform And Load" and version "13.2.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Tuxedo Search vendor "Oracle" for product "Tuxedo" | 12.2.2.0.0 Search vendor "Oracle" for product "Tuxedo" and version "12.2.2.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0" | - |
Affected
| ||||||