Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-23302

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Published

2022-01-18T16:15:08.300

Last Modified

2025-07-07T18:15:24.713

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

6.8

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-502
Type: Primary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	log4j	≤ 1.2.17	Yes
Application	netapp	snapmanager	-	Yes
Application	netapp	snapmanager	-	Yes
Application	broadcom	brocade_sannav	-	Yes
Application	qos	reload4j	< 1.2.18.1	Yes
Application	oracle	advanced_supply_chain_planning	12.1	Yes
Application	oracle	advanced_supply_chain_planning	12.2	Yes
Application	oracle	business_intelligence	5.9.0.0.0	Yes
Application	oracle	business_intelligence	12.2.1.3.0	Yes
Application	oracle	business_intelligence	12.2.1.4.0	Yes
Application	oracle	business_process_management_suite	12.2.1.3.0	Yes
Application	oracle	business_process_management_suite	12.2.1.4.0	Yes
Application	oracle	communications_eagle_ftp_table_base_retrieval	4.5	Yes
Application	oracle	communications_instant_messaging_server	10.0.1.5.0	Yes
Application	oracle	communications_messaging_server	8.1	Yes
Application	oracle	communications_network_integrity	7.3.6	Yes
Application	oracle	communications_offline_mediation_controller	< 12.0.0.4.4	Yes
Application	oracle	communications_offline_mediation_controller	12.0.0.5.0	Yes
Application	oracle	communications_unified_inventory_management	7.4.1	Yes
Application	oracle	communications_unified_inventory_management	7.4.2	Yes
Application	oracle	e-business_suite_cloud_manager_and_cloud_backup_module	< 2.2.1.1.1	Yes
Application	oracle	e-business_suite_cloud_manager_and_cloud_backup_module	2.2.1.1.1	Yes
Application	oracle	enterprise_manager_base_platform	13.4.0.0	Yes
Application	oracle	enterprise_manager_base_platform	13.5.0.0	Yes
Application	oracle	financial_services_revenue_management_and_billing_analytics	2.7.0.0	Yes
Application	oracle	financial_services_revenue_management_and_billing_analytics	2.7.0.1	Yes
Application	oracle	financial_services_revenue_management_and_billing_analytics	2.8.0.0	Yes
Application	oracle	healthcare_foundation	8.1.0	Yes
Application	oracle	hyperion_data_relationship_management	< 11.2.8.0	Yes
Application	oracle	hyperion_infrastructure_technology	< 11.2.8.0	Yes
Application	oracle	identity_management_suite	12.2.1.3.0	Yes
Application	oracle	identity_management_suite	12.2.1.4.0	Yes
Application	oracle	identity_manager_connector	11.1.1.5.0	Yes
Application	oracle	jdeveloper	12.2.1.3.0	Yes
Application	oracle	middleware_common_libraries_and_tools	12.2.1.4.0	Yes
Application	oracle	mysql_enterprise_monitor	≤ 8.0.29	Yes
Application	oracle	tuxedo	12.2.2.0.0	Yes
Application	oracle	weblogic_server	12.2.1.3.0	Yes
Application	oracle	weblogic_server	12.2.1.4.0	Yes
Application	oracle	weblogic_server	14.1.1.0.0	Yes

References

http://www.openwall.com/lists/oss-security/2022/01/18/3 Mailing List, Third Party Advisory ([email protected])
https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w Mailing List, Mitigation, Vendor Advisory ([email protected])
https://logging.apache.org/log4j/1.2/index.html Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20220217-0006/ Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2022/01/18/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w Mailing List, Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://logging.apache.org/log4j/1.2/index.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220217-0006/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.vicarius.io/vsociety/posts/cve-2022-23302-detect-log4j-1217-vulnerability (af854a3a-2127-422b-91ae-364da2661108)
https://www.vicarius.io/vsociety/posts/cve-2022-23302-mitigate-log4j-1217-vulnerability (af854a3a-2127-422b-91ae-364da2661108)