Home

CVE-2022-23302

Description

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Risk Information

Base Score
8.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.647

Associated Vulnerability

VulnerabilityOS Platform
Log4j Vulnerability(CVE-2022-23302)Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.3.0Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.4.0Windows
Multiple vulnerabilities are affected in Oracle WebLogic Server 14.1.1.0.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.2Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 11.0.0.15Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.3.0Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 11.0.0.16Windows
Vulnerabilities CVE-2022-23305,CVE-2022-23307,CVE-2022-23302 are affected in Apache-log4j 1.2.17Windows
Vulnerabilities CVE-2022-23305,CVE-2022-23307,CVE-2021-4104,CVE-2022-23302 are affected in Zenframework - log4j-1.2.17 2.0Windows
(RHSA-2022:0290) parfait:0.5 security update parfait-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpmLinux
(RHSA-2022:0290) parfait:0.5 security update parfait-examples-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpmLinux
(RHSA-2022:0290) parfait:0.5 security update parfait-javadoc-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpmLinux
(RHSA-2022:0290) parfait:0.5 security update pcp-parfait-agent-0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch.rpmLinux
(RHSA-2022:0290) parfait:0.5 security update si-units-javadoc-0.6.5-2.module+el8+2463+615f6896.noarch.rpmLinux
(RHSA-2022:0290) parfait:0.5 security update unit-api-javadoc-1.0-5.module+el8+2463+615f6896.noarch.rpmLinux
(RHSA-2022:0290) parfait:0.5 security update uom-lib-javadoc-1.0.1-6.module+el8+2463+615f6896.noarch.rpmLinux
(RHSA-2022:0290) parfait:0.5 security update uom-parent-1.0.3-3.module+el8+2463+615f6896.noarch.rpmLinux
(RHSA-2022:0290) parfait:0.5 security update uom-se-javadoc-1.0.4-3.module+el8+2463+615f6896.noarch.rpmLinux
(RHSA-2022:0290) parfait:0.5 security update uom-systems-javadoc-0.7-1.module+el8+2463+615f6896.noarch.rpmLinux
SUSE-SU-2022:0212-1(SUSE Linux Enterprise Server 12-SP5 ) log4j-1.2.15-126.9.1.noarch.rpmLinux
Parfait update (ELSA-2022-0290) parfait-0.5.4-4.module+el8.5.0+20480+407d1823.noarch.rpmLinux
Parfait-examples update (ELSA-2022-0290) parfait-examples-0.5.4-4.module+el8.5.0+20480+407d1823.noarch.rpmLinux
Parfait-javadoc update (ELSA-2022-0290) parfait-javadoc-0.5.4-4.module+el8.5.0+20480+407d1823.noarch.rpmLinux
Pcp-parfait-agent update (ELSA-2022-0290) pcp-parfait-agent-0.5.4-4.module+el8.5.0+20480+407d1823.noarch.rpmLinux
Si-units update (ELSA-2022-0290) si-units-0.6.5-2.module+el8+5163+abb6ece5.noarch.rpmLinux
Si-units-javadoc update (ELSA-2022-0290) si-units-javadoc-0.6.5-2.module+el8+5163+abb6ece5.noarch.rpmLinux
Unit-api update (ELSA-2022-0290) unit-api-1.0-5.module+el8+5163+abb6ece5.noarch.rpmLinux
Unit-api-javadoc update (ELSA-2022-0290) unit-api-javadoc-1.0-5.module+el8+5163+abb6ece5.noarch.rpmLinux
Uom-lib update (ELSA-2022-0290) uom-lib-1.0.1-6.module+el8+5163+abb6ece5.noarch.rpmLinux
Uom-lib-javadoc update (ELSA-2022-0290) uom-lib-javadoc-1.0.1-6.module+el8+5163+abb6ece5.noarch.rpmLinux
Uom-parent update (ELSA-2022-0290) uom-parent-1.0.3-3.module+el8+5163+abb6ece5.noarch.rpmLinux
Uom-se update (ELSA-2022-0290) uom-se-1.0.4-3.module+el8+5163+abb6ece5.noarch.rpmLinux
Uom-se-javadoc update (ELSA-2022-0290) uom-se-javadoc-1.0.4-3.module+el8+5163+abb6ece5.noarch.rpmLinux
Uom-systems update (ELSA-2022-0290) uom-systems-0.7-1.module+el8+5163+abb6ece5.noarch.rpmLinux
Uom-systems-javadoc update (ELSA-2022-0290) uom-systems-javadoc-0.7-1.module+el8+5163+abb6ece5.noarch.rpmLinux
(RHSA-2022:0442) log4j security update log4j-1.2.17-18.el7_4.noarch.rpmLinux
(RHSA-2022:0442) log4j security update log4j-javadoc-1.2.17-18.el7_4.noarch.rpmLinux
(RHSA-2022:0442) log4j security update log4j-manual-1.2.17-18.el7_4.noarch.rpmLinux
Log4j update (ELSA-2022-0442) log4j-1.2.17-18.el7_4.noarch.rpmLinux
Log4j-javadoc update (ELSA-2022-0442) log4j-javadoc-1.2.17-18.el7_4.noarch.rpmLinux
Log4j-manual update (ELSA-2022-0442) log4j-manual-1.2.17-18.el7_4.noarch.rpmLinux
Java-based open-source logging tool (USN-5998-1) liblog4j1.2-java_1.2.17-9ubuntu0.2_all.debLinux
Java-based open-source logging tool (USN-5998-1) liblog4j1.2-java_1.2.17-8+deb10u1ubuntu0.2_all.debLinux
(RHSA-2022:0290)Important: security update si-units-0.6.5-2.module+el8+2463+615f6896.noarch.rpmLinux
(RHSA-2022:0290)Important: security update unit-api-1.0-5.module+el8+2463+615f6896.noarch.rpmLinux
(RHSA-2022:0290)Important: security update uom-lib-1.0.1-6.module+el8+2463+615f6896.noarch.rpmLinux
(RHSA-2022:0290)Important: security update uom-se-1.0.4-3.module+el8+2463+615f6896.noarch.rpmLinux
(RHSA-2022:0290)Important: security update uom-systems-0.7-1.module+el8+2463+615f6896.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) uom-se-1.0.4-3.module+el8.3.0+214+edf13b3f.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) parfait-0.5.4-4.module+el8.5.0+728+553fbdb8.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) uom-lib-1.0.1-6.module+el8.3.0+214+edf13b3f.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) si-units-0.6.5-2.module+el8.3.0+214+edf13b3f.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) unit-api-1.0-5.module+el8.3.0+214+edf13b3f.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) uom-parent-1.0.3-3.module+el8.3.0+214+edf13b3f.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) uom-systems-0.7-1.module+el8.3.0+214+edf13b3f.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) uom-se-javadoc-1.0.4-3.module+el8.3.0+214+edf13b3f.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) parfait-javadoc-0.5.4-4.module+el8.5.0+728+553fbdb8.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) uom-lib-javadoc-1.0.1-6.module+el8.3.0+214+edf13b3f.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) parfait-examples-0.5.4-4.module+el8.5.0+728+553fbdb8.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) si-units-javadoc-0.6.5-2.module+el8.3.0+214+edf13b3f.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) unit-api-javadoc-1.0-5.module+el8.3.0+214+edf13b3f.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) pcp-parfait-agent-0.5.4-4.module+el8.5.0+728+553fbdb8.noarch.rpmLinux
parfait:0.5 security update (RLSA-2022:0290) uom-systems-javadoc-0.7-1.module+el8.3.0+214+edf13b3f.noarch.rpmLinux
log4j Security Update (ALAS-2022-1750) log4j-1.2.17-18.amzn2.noarch.rpmLinux
log4j Security Update (ALAS-2022-1750) log4j-manual-1.2.17-18.amzn2.noarch.rpmLinux
log4j Security Update (ALAS-2022-1750) log4j-javadoc-1.2.17-18.amzn2.noarch.rpmLinux
Important: parfait:0.5 security update unit-api-1.0-5.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update unit-api-javadoc-1.0-5.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update uom-lib-1.0.1-6.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update uom-lib-javadoc-1.0.1-6.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update uom-parent-1.0.3-3.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update uom-se-1.0.4-3.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update uom-se-javadoc-1.0.4-3.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update uom-systems-0.7-1.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update uom-systems-javadoc-0.7-1.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update si-units-0.6.5-2.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update si-units-javadoc-0.6.5-2.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update parfait-0.5.4-4.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update parfait-examples-0.5.4-4.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update parfait-javadoc-0.5.4-4.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Important: parfait:0.5 security update pcp-parfait-agent-0.5.4-4.module_el8.5.0+2610+de2b8c0b.noarch.rpmLinux
Vulnerabilities CVE-2022-23305,CVE-2022-23307,CVE-2022-23302 are affected in Apache-log4j for Linux 1.2.17Linux
Vulnerabilities CVE-2022-23305,CVE-2022-23307,CVE-2021-4104,CVE-2022-23302 are affected in Zenframework - log4j-1.2.17 for Linux 2.0Linux
Deserialization of Untrusted Data Vulnerability (CVE-2022-23302)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234