Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-23305

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Published

2022-01-18T16:15:08.350

Last Modified

2024-11-21T06:48:22.517

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-89
Type: Primary
CWE-89

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	log4j	≤ 1.2.17	Yes
Application	netapp	snapmanager	-	Yes
Application	netapp	snapmanager	-	Yes
Application	broadcom	brocade_sannav	-	Yes
Application	qos	reload4j	< 1.2.18.2	Yes
Application	oracle	advanced_supply_chain_planning	12.1	Yes
Application	oracle	advanced_supply_chain_planning	12.2	Yes
Application	oracle	business_intelligence	5.9.0.0.0	Yes
Application	oracle	business_intelligence	12.2.1.3.0	Yes
Application	oracle	business_intelligence	12.2.1.4.0	Yes
Application	oracle	business_process_management_suite	12.2.1.3.0	Yes
Application	oracle	business_process_management_suite	12.2.1.4.0	Yes
Application	oracle	communications_eagle_ftp_table_base_retrieval	4.5	Yes
Application	oracle	communications_instant_messaging_server	10.0.1.5.0	Yes
Application	oracle	communications_messaging_server	8.1	Yes
Application	oracle	communications_network_integrity	7.3.6	Yes
Application	oracle	communications_offline_mediation_controller	< 12.0.0.4.4	Yes
Application	oracle	communications_offline_mediation_controller	12.0.0.5.0	Yes
Application	oracle	communications_unified_inventory_management	7.4.1	Yes
Application	oracle	communications_unified_inventory_management	7.4.2	Yes
Application	oracle	e-business_suite_cloud_manager_and_cloud_backup_module	< 2.2.1.1.1	Yes
Application	oracle	e-business_suite_cloud_manager_and_cloud_backup_module	2.2.1.1.1	Yes
Application	oracle	e-business_suite_information_discovery	≤ 12.2.11	Yes
Application	oracle	enterprise_manager_base_platform	13.4.0.0	Yes
Application	oracle	enterprise_manager_base_platform	13.5.0.0	Yes
Application	oracle	financial_services_revenue_management_and_billing_analytics	2.7.0.0	Yes
Application	oracle	financial_services_revenue_management_and_billing_analytics	2.7.0.1	Yes
Application	oracle	financial_services_revenue_management_and_billing_analytics	2.8.0.0	Yes
Application	oracle	healthcare_foundation	8.1.0	Yes
Application	oracle	hyperion_data_relationship_management	< 11.2.8.0	Yes
Application	oracle	hyperion_infrastructure_technology	< 11.2.8.0	Yes
Application	oracle	identity_management_suite	12.2.1.3.0	Yes
Application	oracle	identity_management_suite	12.2.1.4.0	Yes
Application	oracle	identity_manager_connector	11.1.1.5.0	Yes
Application	oracle	jdeveloper	12.2.1.3.0	Yes
Application	oracle	middleware_common_libraries_and_tools	12.2.1.4.0	Yes
Application	oracle	mysql_enterprise_monitor	≤ 8.0.29	Yes
Application	oracle	retail_extract_transform_and_load	13.2.5	Yes
Application	oracle	tuxedo	12.2.2.0.0	Yes
Application	oracle	weblogic_server	12.2.1.3.0	Yes
Application	oracle	weblogic_server	12.2.1.4.0	Yes
Application	oracle	weblogic_server	14.1.1.0.0	Yes

References

http://www.openwall.com/lists/oss-security/2022/01/18/4 Mailing List, Third Party Advisory ([email protected])
https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y Issue Tracking, Mailing List, Vendor Advisory ([email protected])
https://logging.apache.org/log4j/1.2/index.html Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20220217-0007/ Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2022/01/18/4 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y Issue Tracking, Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://logging.apache.org/log4j/1.2/index.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220217-0007/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)