8.8
CVE-2022-23302
- EPSS 0.48%
- Published 18.01.2022 16:15:08
- Last modified 07.07.2025 18:15:24
- Source security@apache.org
- Teams watchlist Login
- Open Login
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Data is provided by the National Vulnerability Database (NVD)
Netapp ≫ Snapmanager Version- SwPlatformoracle
Netapp ≫ Snapmanager Version- SwPlatformsap
Broadcom ≫ Brocade Sannav Version-
Oracle ≫ Advanced Supply Chain Planning Version12.1
Oracle ≫ Advanced Supply Chain Planning Version12.2
Oracle ≫ Business Intelligence Version5.9.0.0.0 SwEditionenterprise
Oracle ≫ Business Intelligence Version12.2.1.3.0 SwEditionenterprise
Oracle ≫ Business Intelligence Version12.2.1.4.0 SwEditionenterprise
Oracle ≫ Business Process Management Suite Version12.2.1.3.0
Oracle ≫ Business Process Management Suite Version12.2.1.4.0
Oracle ≫ Communications Eagle Ftp Table Base Retrieval Version4.5
Oracle ≫ Communications Instant Messaging Server Version10.0.1.5.0
Oracle ≫ Communications Messaging Server Version8.1
Oracle ≫ Communications Network Integrity Version7.3.6
Oracle ≫ Communications Offline Mediation Controller Version < 12.0.0.4.4
Oracle ≫ Communications Offline Mediation Controller Version12.0.0.5.0
Oracle ≫ Communications Unified Inventory Management Version7.4.1
Oracle ≫ Communications Unified Inventory Management Version7.4.2
Oracle ≫ E-business Suite Cloud Manager And Cloud Backup Module Version < 2.2.1.1.1
Oracle ≫ E-business Suite Cloud Manager And Cloud Backup Module Version2.2.1.1.1
Oracle ≫ Enterprise Manager Base Platform Version13.4.0.0
Oracle ≫ Enterprise Manager Base Platform Version13.5.0.0
Oracle ≫ Financial Services Revenue Management And Billing Analytics Version2.7.0.0
Oracle ≫ Financial Services Revenue Management And Billing Analytics Version2.7.0.1
Oracle ≫ Financial Services Revenue Management And Billing Analytics Version2.8.0.0
Oracle ≫ Healthcare Foundation Version8.1.0
Oracle ≫ Hyperion Data Relationship Management Version < 11.2.8.0
Oracle ≫ Hyperion Infrastructure Technology Version < 11.2.8.0
Oracle ≫ Identity Management Suite Version12.2.1.3.0
Oracle ≫ Identity Management Suite Version12.2.1.4.0
Oracle ≫ Identity Manager Connector Version11.1.1.5.0
Oracle ≫ Jdeveloper Version12.2.1.3.0
Oracle ≫ Middleware Common Libraries And Tools Version12.2.1.4.0
Oracle ≫ Mysql Enterprise Monitor Version <= 8.0.29
Oracle ≫ Weblogic Server Version12.2.1.3.0
Oracle ≫ Weblogic Server Version12.2.1.4.0
Oracle ≫ Weblogic Server Version14.1.1.0.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.48% | 0.639 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6 | 6.8 | 6.4 |
AV:N/AC:M/Au:S/C:P/I:P/A:P
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.