Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-23305

Опубликовано: 18 янв. 2022
Источник: redhat
CVSS3: 8.8
EPSS Средний

Описание

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.

Отчет

Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Red Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging. Red Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.

Меры по смягчению последствий

These are the possible mitigations for this flaw for releases version 1.x:

  • Comment out or remove JDBCAppender in the Log4j configuration if it is used
  • Remove the JDBCAppender class from the server's jar files. For example:
zip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2log4jAffected
Red Hat AMQ Broker 7log4jAffected
Red Hat build of Quarkuslog4jNot affected
Red Hat CodeReady Studio 12log4jAffected
Red Hat Data Grid 8log4jNot affected
Red Hat Decision Manager 7log4jNot affected
Red Hat Enterprise Linux 7tomcatNot affected
Red Hat Integration Camel K 1log4jNot affected
Red Hat Integration Camel Quarkus 1log4jNot affected
Red Hat JBoss Enterprise Application Platform Expansion Packlog4jNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-89
https://bugzilla.redhat.com/show_bug.cgi?id=2041959log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender

EPSS

Процентиль: 94%
0.1499
Средний

8.8 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-23305

CVSS3: 9.8
ubuntu
больше 3 лет назад

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

nvd логотип

CVE-2022-23305

CVSS3: 9.8
nvd
больше 3 лет назад

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

debian логотип

CVE-2022-23305

CVSS3: 9.8
debian
больше 3 лет назад

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as ...

github логотип

GHSA-65fg-84f6-3jq3

CVSS3: 9.8
github
больше 3 лет назад

SQL Injection in Log4j 1.2.x

fstec логотип

BDU:2023-07205

CVSS3: 9.8
fstec
больше 3 лет назад

Уязвимость адаптера JDBCAppender программы для журналирования Java-программ Log4j, позволяющая нарушителю выполнять произвольные SQL-запросы к базе данных

EPSS

Процентиль: 94%
0.1499
Средний

8.8 High

CVSS3

Уязвимость CVE-2022-23305