CVE-2022-23305

high-risk

Published 2022-01-18

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Do I need to act?

8.0% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Log4J

Snapmanager

Brocade Sannav

Reload4J

Advanced Supply Chain Planning

Business Intelligence

Business Process Management Suite

Communications Eagle Ftp Table Base Retrieval

Communications Instant Messaging Server

Communications Messaging Server

Communications Network Integrity

Communications Offline Mediation Controller

Communications Unified Inventory Management

Affected Vendors

Apache Oracle Broadcom Netapp Qos

References (12)

Mailing List http://www.openwall.com/lists/oss-security/2022/01/18/4

Issue Tracking https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y

Vendor Advisory https://logging.apache.org/log4j/1.2/index.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20220217-0007/

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujul2022.html

Mailing List http://www.openwall.com/lists/oss-security/2022/01/18/4

Issue Tracking https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y

Vendor Advisory https://logging.apache.org/log4j/1.2/index.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20220217-0007/

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujul2022.html

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 10/34 · Low

Exposure 24/34 · High