CVE-2022-23305

SQL injection in JDBC Appender in Apache Log4j V1

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Por diseño, el JDBCAppender en Log4j versiones 1.2.x, acepta una sentencia SQL como parámetro de configuración donde los valores a insertar son convertidores de PatternLayout. Es probable que el convertidor de mensajes, %m, sea incluido siempre. Esto permite a atacantes manipular el SQL introduciendo cadenas diseñadas en los campos de entrada o en los encabezados de una aplicación que son registradas permitiendo una ejecución de consultas SQL no deseadas. Tenga en cuenta que este problema sólo afecta a Log4j versiones 1.x cuando es configurado específicamente para usar el JDBCAppender, que no es el predeterminado. A partir de la versión 2.0-beta8, fue reintroducido el JDBCAppender con soporte apropiado para consultas SQL parametrizadas y mayor personalización sobre las columnas escritas en los registros. Apache Log4j versiones 1.2 llegó al final de su vida útil en agosto de 2015. Los usuarios deberían actualizar a Log4j 2, ya que aborda numerosos problemas de las versiones anteriores

A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.

Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services. This erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service for on-premise or private cloud deployments, aligning with the standalone product release. Issues addressed include code execution, deserialization, and remote SQL injection vulnerabilities.

*Credits: Daniel Martin of NCC Group

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-17 CVE Reserved
2022-01-18 CVE Published
2022-11-05 First Exploit
2024-08-03 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (11)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2022/01/18/4	Mailing List
https://security.netapp.com/advisory/ntap-20220217-0007	Third Party Advisory

URL	Date	SRC
https://github.com/HynekPetrak/log4shell-finder	2024-09-10
https://github.com/AlphabugX/CVE-2022-RCE	2022-11-05
https://github.com/tkomlodi/CVE-2022-23305_POC	2024-05-16

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-02-24
https://www.oracle.com/security-alerts/cpujul2022.html	2023-02-24

URL	Date	SRC
https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y	2023-02-24
https://logging.apache.org/log4j/1.2/index.html	2023-02-24
https://access.redhat.com/security/cve/CVE-2022-23305	2024-08-26
https://bugzilla.redhat.com/show_bug.cgi?id=2041959	2024-08-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				>= 1.2 <= 1.2.17 Search vendor "Apache" for product "Log4j" and version " >= 1.2 <= 1.2.17"		-		Affected
Netapp Search vendor "Netapp"		Snapmanager Search vendor "Netapp" for product "Snapmanager"				-		oracle		Affected
Netapp Search vendor "Netapp"		Snapmanager Search vendor "Netapp" for product "Snapmanager"				-		sap		Affected
Broadcom Search vendor "Broadcom"		Brocade Sannav Search vendor "Broadcom" for product "Brocade Sannav"				-		-		Affected
Qos Search vendor "Qos"		Reload4j Search vendor "Qos" for product "Reload4j"				< 1.2.18.2 Search vendor "Qos" for product "Reload4j" and version " < 1.2.18.2"		-		Affected
Oracle Search vendor "Oracle"		Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning"				12.1 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.1"		-		Affected
Oracle Search vendor "Oracle"		Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning"				12.2 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.2"		-		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				5.9.0.0.0 Search vendor "Oracle" for product "Business Intelligence" and version "5.9.0.0.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.3.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.4.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite"				12.2.1.3.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite"				12.2.1.4.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Eagle Ftp Table Base Retrieval Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval"				4.5 Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval" and version "4.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server"				10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server"				8.1 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity"				7.3.6 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6"		-		Affected
Oracle Search vendor "Oracle"		Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller"				< 12.0.0.4.4 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version " < 12.0.0.4.4"		-		Affected
Oracle Search vendor "Oracle"		Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller"				12.0.0.5.0 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.2 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.2"		-		Affected
Oracle Search vendor "Oracle"		E-business Suite Cloud Manager And Cloud Backup Module Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module"				< 2.2.1.1.1 Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version " < 2.2.1.1.1"		-		Affected
Oracle Search vendor "Oracle"		E-business Suite Cloud Manager And Cloud Backup Module Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module"				2.2.1.1.1 Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version "2.2.1.1.1"		-		Affected
Oracle Search vendor "Oracle"		E-business Suite Information Discovery Search vendor "Oracle" for product "E-business Suite Information Discovery"				>= 12.2.3 <= 12.2.11 Search vendor "Oracle" for product "E-business Suite Information Discovery" and version " >= 12.2.3 <= 12.2.11"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform"				13.4.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.4.0.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform"				13.5.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.5.0.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"				2.7.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"				2.7.0.1 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"				2.8.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.8.0.0"		-		Affected
Oracle Search vendor "Oracle"		Healthcare Foundation Search vendor "Oracle" for product "Healthcare Foundation"				8.1.0 Search vendor "Oracle" for product "Healthcare Foundation" and version "8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Hyperion Data Relationship Management Search vendor "Oracle" for product "Hyperion Data Relationship Management"				< 11.2.8.0 Search vendor "Oracle" for product "Hyperion Data Relationship Management" and version " < 11.2.8.0"		-		Affected
Oracle Search vendor "Oracle"		Hyperion Infrastructure Technology Search vendor "Oracle" for product "Hyperion Infrastructure Technology"				< 11.2.8.0 Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version " < 11.2.8.0"		-		Affected
Oracle Search vendor "Oracle"		Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite"				12.2.1.3.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite"				12.2.1.4.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Identity Manager Connector Search vendor "Oracle" for product "Identity Manager Connector"				11.1.1.5.0 Search vendor "Oracle" for product "Identity Manager Connector" and version "11.1.1.5.0"		-		Affected
Oracle Search vendor "Oracle"		Jdeveloper Search vendor "Oracle" for product "Jdeveloper"				12.2.1.3.0 Search vendor "Oracle" for product "Jdeveloper" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Middleware Common Libraries And Tools Search vendor "Oracle" for product "Middleware Common Libraries And Tools"				12.2.1.4.0 Search vendor "Oracle" for product "Middleware Common Libraries And Tools" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor"				<= 8.0.29 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.29"		-		Affected
Oracle Search vendor "Oracle"		Retail Extract Transform And Load Search vendor "Oracle" for product "Retail Extract Transform And Load"				13.2.5 Search vendor "Oracle" for product "Retail Extract Transform And Load" and version "13.2.5"		-		Affected
Oracle Search vendor "Oracle"		Tuxedo Search vendor "Oracle" for product "Tuxedo"				12.2.2.0.0 Search vendor "Oracle" for product "Tuxedo" and version "12.2.2.0.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"		-		Affected