// For flags

CVE-2022-23305

SQL injection in JDBC Appender in Apache Log4j V1

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Por diseño, el JDBCAppender en Log4j versiones 1.2.x, acepta una sentencia SQL como parámetro de configuración donde los valores a insertar son convertidores de PatternLayout. Es probable que el convertidor de mensajes, %m, sea incluido siempre. Esto permite a atacantes manipular el SQL introduciendo cadenas diseñadas en los campos de entrada o en los encabezados de una aplicación que son registradas permitiendo una ejecución de consultas SQL no deseadas. Tenga en cuenta que este problema sólo afecta a Log4j versiones 1.x cuando es configurado específicamente para usar el JDBCAppender, que no es el predeterminado. A partir de la versión 2.0-beta8, fue reintroducido el JDBCAppender con soporte apropiado para consultas SQL parametrizadas y mayor personalización sobre las columnas escritas en los registros. Apache Log4j versiones 1.2 llegó al final de su vida útil en agosto de 2015. Los usuarios deberían actualizar a Log4j 2, ya que aborda numerosos problemas de las versiones anteriores

A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.

*Credits: Daniel Martin of NCC Group
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-17 CVE Reserved
  • 2022-01-18 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-10-03 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Log4j
Search vendor "Apache" for product "Log4j"
>= 1.2 <= 1.2.17
Search vendor "Apache" for product "Log4j" and version " >= 1.2 <= 1.2.17"
-
Affected
Netapp
Search vendor "Netapp"
Snapmanager
Search vendor "Netapp" for product "Snapmanager"
-oracle
Affected
Netapp
Search vendor "Netapp"
Snapmanager
Search vendor "Netapp" for product "Snapmanager"
-sap
Affected
Broadcom
Search vendor "Broadcom"
Brocade Sannav
Search vendor "Broadcom" for product "Brocade Sannav"
--
Affected
Qos
Search vendor "Qos"
Reload4j
Search vendor "Qos" for product "Reload4j"
< 1.2.18.2
Search vendor "Qos" for product "Reload4j" and version " < 1.2.18.2"
-
Affected
Oracle
Search vendor "Oracle"
Advanced Supply Chain Planning
Search vendor "Oracle" for product "Advanced Supply Chain Planning"
12.1
Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.1"
-
Affected
Oracle
Search vendor "Oracle"
Advanced Supply Chain Planning
Search vendor "Oracle" for product "Advanced Supply Chain Planning"
12.2
Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.2"
-
Affected
Oracle
Search vendor "Oracle"
Business Intelligence
Search vendor "Oracle" for product "Business Intelligence"
5.9.0.0.0
Search vendor "Oracle" for product "Business Intelligence" and version "5.9.0.0.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
Business Intelligence
Search vendor "Oracle" for product "Business Intelligence"
12.2.1.3.0
Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
Business Intelligence
Search vendor "Oracle" for product "Business Intelligence"
12.2.1.4.0
Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.2.1.3.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.2.1.4.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Eagle Ftp Table Base Retrieval
Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval"
4.5
Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval" and version "4.5"
-
Affected
Oracle
Search vendor "Oracle"
Communications Instant Messaging Server
Search vendor "Oracle" for product "Communications Instant Messaging Server"
10.0.1.5.0
Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Messaging Server
Search vendor "Oracle" for product "Communications Messaging Server"
8.1
Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1"
-
Affected
Oracle
Search vendor "Oracle"
Communications Network Integrity
Search vendor "Oracle" for product "Communications Network Integrity"
7.3.6
Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6"
-
Affected
Oracle
Search vendor "Oracle"
Communications Offline Mediation Controller
Search vendor "Oracle" for product "Communications Offline Mediation Controller"
< 12.0.0.4.4
Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version " < 12.0.0.4.4"
-
Affected
Oracle
Search vendor "Oracle"
Communications Offline Mediation Controller
Search vendor "Oracle" for product "Communications Offline Mediation Controller"
12.0.0.5.0
Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Unified Inventory Management
Search vendor "Oracle" for product "Communications Unified Inventory Management"
7.4.1
Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1"
-
Affected
Oracle
Search vendor "Oracle"
Communications Unified Inventory Management
Search vendor "Oracle" for product "Communications Unified Inventory Management"
7.4.2
Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.2"
-
Affected
Oracle
Search vendor "Oracle"
E-business Suite Cloud Manager And Cloud Backup Module
Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module"
< 2.2.1.1.1
Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version " < 2.2.1.1.1"
-
Affected
Oracle
Search vendor "Oracle"
E-business Suite Cloud Manager And Cloud Backup Module
Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module"
2.2.1.1.1
Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version "2.2.1.1.1"
-
Affected
Oracle
Search vendor "Oracle"
E-business Suite Information Discovery
Search vendor "Oracle" for product "E-business Suite Information Discovery"
>= 12.2.3 <= 12.2.11
Search vendor "Oracle" for product "E-business Suite Information Discovery" and version " >= 12.2.3 <= 12.2.11"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Manager Base Platform
Search vendor "Oracle" for product "Enterprise Manager Base Platform"
13.4.0.0
Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.4.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Manager Base Platform
Search vendor "Oracle" for product "Enterprise Manager Base Platform"
13.5.0.0
Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.5.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Revenue Management And Billing Analytics
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"
2.7.0.0
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Revenue Management And Billing Analytics
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"
2.7.0.1
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Revenue Management And Billing Analytics
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"
2.8.0.0
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.8.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Healthcare Foundation
Search vendor "Oracle" for product "Healthcare Foundation"
8.1.0
Search vendor "Oracle" for product "Healthcare Foundation" and version "8.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Hyperion Data Relationship Management
Search vendor "Oracle" for product "Hyperion Data Relationship Management"
< 11.2.8.0
Search vendor "Oracle" for product "Hyperion Data Relationship Management" and version " < 11.2.8.0"
-
Affected
Oracle
Search vendor "Oracle"
Hyperion Infrastructure Technology
Search vendor "Oracle" for product "Hyperion Infrastructure Technology"
< 11.2.8.0
Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version " < 11.2.8.0"
-
Affected
Oracle
Search vendor "Oracle"
Identity Management Suite
Search vendor "Oracle" for product "Identity Management Suite"
12.2.1.3.0
Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Identity Management Suite
Search vendor "Oracle" for product "Identity Management Suite"
12.2.1.4.0
Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Identity Manager Connector
Search vendor "Oracle" for product "Identity Manager Connector"
11.1.1.5.0
Search vendor "Oracle" for product "Identity Manager Connector" and version "11.1.1.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Jdeveloper
Search vendor "Oracle" for product "Jdeveloper"
12.2.1.3.0
Search vendor "Oracle" for product "Jdeveloper" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Middleware Common Libraries And Tools
Search vendor "Oracle" for product "Middleware Common Libraries And Tools"
12.2.1.4.0
Search vendor "Oracle" for product "Middleware Common Libraries And Tools" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Enterprise Monitor
Search vendor "Oracle" for product "Mysql Enterprise Monitor"
<= 8.0.29
Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.29"
-
Affected
Oracle
Search vendor "Oracle"
Retail Extract Transform And Load
Search vendor "Oracle" for product "Retail Extract Transform And Load"
13.2.5
Search vendor "Oracle" for product "Retail Extract Transform And Load" and version "13.2.5"
-
Affected
Oracle
Search vendor "Oracle"
Tuxedo
Search vendor "Oracle" for product "Tuxedo"
12.2.2.0.0
Search vendor "Oracle" for product "Tuxedo" and version "12.2.2.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
12.2.1.3.0
Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
12.2.1.4.0
Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
14.1.1.0.0
Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"
-
Affected