CVE-2022-23305

EPSS 14.14%
Published 18.01.2022 16:15:08
Last modified 21.11.2024 06:48:22
Source security@apache.org
Teams watchlist Login
Open Login

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Affected products Warnungen 0 Metrics 3 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Log4j Version >= 1.2 <= 1.2.17

Netapp ≫ Snapmanager Version- SwPlatformoracle

Netapp ≫ Snapmanager Version- SwPlatformsap

Broadcom ≫ Brocade Sannav Version-

Qos ≫ Reload4j Version < 1.2.18.2

Oracle ≫ Advanced Supply Chain Planning Version12.1

Oracle ≫ Advanced Supply Chain Planning Version12.2

Oracle ≫ Business Intelligence Version5.9.0.0.0 SwEditionenterprise

Oracle ≫ Business Intelligence Version12.2.1.3.0 SwEditionenterprise

Oracle ≫ Business Intelligence Version12.2.1.4.0 SwEditionenterprise

Oracle ≫ Business Process Management Suite Version12.2.1.3.0

Oracle ≫ Business Process Management Suite Version12.2.1.4.0

Oracle ≫ Communications Eagle Ftp Table Base Retrieval Version4.5

Oracle ≫ Communications Instant Messaging Server Version10.0.1.5.0

Oracle ≫ Communications Messaging Server Version8.1

Oracle ≫ Communications Network Integrity Version7.3.6

Oracle ≫ Communications Offline Mediation Controller Version < 12.0.0.4.4

Oracle ≫ Communications Offline Mediation Controller Version12.0.0.5.0

Oracle ≫ Communications Unified Inventory Management Version7.4.1

Oracle ≫ Communications Unified Inventory Management Version7.4.2

Oracle ≫ E-business Suite Cloud Manager And Cloud Backup Module Version < 2.2.1.1.1

Oracle ≫ E-business Suite Cloud Manager And Cloud Backup Module Version2.2.1.1.1

Oracle ≫ E-business Suite Information Discovery Version >= 12.2.3 <= 12.2.11

Oracle ≫ Enterprise Manager Base Platform Version13.4.0.0

Oracle ≫ Enterprise Manager Base Platform Version13.5.0.0

Oracle ≫ Financial Services Revenue Management And Billing Analytics Version2.7.0.0

Oracle ≫ Financial Services Revenue Management And Billing Analytics Version2.7.0.1

Oracle ≫ Financial Services Revenue Management And Billing Analytics Version2.8.0.0

Oracle ≫ Healthcare Foundation Version8.1.0

Oracle ≫ Hyperion Data Relationship Management Version < 11.2.8.0

Oracle ≫ Hyperion Infrastructure Technology Version < 11.2.8.0

Oracle ≫ Identity Management Suite Version12.2.1.3.0

Oracle ≫ Identity Management Suite Version12.2.1.4.0

Oracle ≫ Identity Manager Connector Version11.1.1.5.0

Oracle ≫ Jdeveloper Version12.2.1.3.0

Oracle ≫ Middleware Common Libraries And Tools Version12.2.1.4.0

Oracle ≫ Mysql Enterprise Monitor Version <= 8.0.29

Oracle ≫ Retail Extract Transform And Load Version13.2.5

Oracle ≫ Tuxedo Version12.2.2.0.0

Oracle ≫ Weblogic Server Version12.2.1.3.0

Oracle ≫ Weblogic Server Version12.2.1.4.0

Oracle ≫ Weblogic Server Version14.1.1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	14.14%	0.941

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

https://logging.apache.org/log4j/1.2/index.html

Vendor Advisory

http://www.openwall.com/lists/oss-security/2022/01/18/4

Third Party Advisory

Mailing List

https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y