CVE-2022-23302

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Published: Jan 18, 2022
Updated: May 9, 2024
CVE: CVE-2022-23302
GHSA: GHSA-w9p3-5cr8-m3jj
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6
AV:N/AC:M/Au:S/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
apache / log4j	1.0.1	1.2.17.x
qos / reload4j	-	1.2.18.1
oracle / weblogic_server	12.2.1.3.0	12.2.1.3.0.x
oracle / business_intelligence	12.2.1.3.0	12.2.1.3.0.x
oracle / business_process_management_suite	12.2.1.3.0	12.2.1.3.0.x
oracle / jdeveloper	12.2.1.3.0	12.2.1.3.0.x
oracle / identity_management_suite	12.2.1.3.0	12.2.1.3.0.x
oracle / business_intelligence	12.2.1.4.0	12.2.1.4.0.x
oracle / weblogic_server	12.2.1.4.0	12.2.1.4.0.x
oracle / weblogic_server	14.1.1.0.0	14.1.1.0.0.x
oracle / enterprise_manager_base_platform	13.4.0.0	13.4.0.0.x
oracle / communications_network_integrity	7.3.6	7.3.6.x
oracle / business_process_management_suite	12.2.1.4.0	12.2.1.4.0.x
oracle / advanced_supply_chain_planning	12.2	12.2.x
oracle / advanced_supply_chain_planning	12.1	12.1.x
oracle / communications_unified_inventory_management	7.4.1	7.4.1.x
oracle / enterprise_manager_base_platform	13.5.0.0	13.5.0.0.x
oracle / communications_messaging_server	8.1	8.1.x
oracle / business_intelligence	5.9.0.0.0	5.9.0.0.0.x
oracle / healthcare_foundation	8.1.0	8.1.0.x
oracle / communications_eagle_ftp_table_base_retrieval	4.5	4.5.x
oracle / identity_manager_connector	11.1.1.5.0	11.1.1.5.0.x
oracle / communications_unified_inventory_management	7.4.2	7.4.2.x
oracle / communications_instant_messaging_server	10.0.1.5.0	10.0.1.5.0.x
oracle / middleware_common_libraries_and_tools	12.2.1.4.0	12.2.1.4.0.x
oracle / identity_management_suite	12.2.1.4.0	12.2.1.4.0.x
oracle / financial_services_revenue_management_and_billing_analytics	2.7.0.0	2.7.0.0.x
oracle / hyperion_data_relationship_management	-	11.2.8.0
oracle / financial_services_revenue_management_and_billing_analytics	2.8.0.0	2.8.0.0.x
oracle / mysql_enterprise_monitor	-	8.0.29.x
oracle / hyperion_infrastructure_technology	-	11.2.8.0
oracle / tuxedo	12.2.2.0.0	12.2.2.0.0.x
oracle / e-business_suite_cloud_manager_and_cloud_backup_module	-	2.2.1.1.1
oracle / e-business_suite_cloud_manager_and_cloud_backup_module	2.2.1.1.1	2.2.1.1.1.x
oracle / financial_services_revenue_management_and_billing_analytics	2.7.0.1	2.7.0.1.x
oracle / communications_offline_mediation_controller	12.0.0.5.0	12.0.0.5.0.x
oracle / communications_offline_mediation_controller	-	12.0.0.4.4
log4j / log4j	-	1.2.17.x

Vulnerability Database

289,599

CVE-2022-23302