Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-23302

Опубликовано: 18 янв. 2022
Источник: redhat
CVSS3: 8.8
EPSS Низкий

Описание

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.

Отчет

Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker's JNDI LDAP endpoint. Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging. Red Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.

Меры по смягчению последствий

These are the possible mitigations for this flaw for releases version 1.x:

  • Comment out or remove JMSSink in the Log4j configuration if it is used
  • Remove the JMSSink class from the server's jar files. For example:
zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class
  • Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2log4jAffected
Red Hat AMQ Broker 7log4jAffected
Red Hat build of Quarkuslog4jNot affected
Red Hat CodeReady Studio 12log4jAffected
Red Hat Data Grid 8log4jNot affected
Red Hat Decision Manager 7log4jNot affected
Red Hat Enterprise Linux 7tomcatNot affected
Red Hat Integration Camel K 1log4jNot affected
Red Hat Integration Camel Quarkus 1log4jNot affected
Red Hat JBoss Enterprise Application Platform Expansion Packlog4jNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=2041949log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink

EPSS

Процентиль: 55%
0.00327
Низкий

8.8 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-23302

CVSS3: 8.8
ubuntu
больше 3 лет назад

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

nvd логотип

CVE-2022-23302

CVSS3: 8.8
nvd
больше 3 лет назад

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

debian логотип

CVE-2022-23302

CVSS3: 8.8
debian
больше 3 лет назад

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization ...

github логотип

GHSA-w9p3-5cr8-m3jj

CVSS3: 8.8
github
больше 3 лет назад

Deserialization of Untrusted Data in Log4j 1.x

fstec логотип

BDU:2022-00526

CVSS3: 6.6
fstec
больше 3 лет назад

Уязвимость реализации класса JMSSink библиотеки журналирования Java-программ Log4j, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 55%
0.00327
Низкий

8.8 High

CVSS3

Уязвимость CVE-2022-23302