Vulnerability Name:

CVE-2022-23302 (CCN-217460)

Assigned:2022-01-18
Published:2022-01-18
Updated:2023-02-24
Summary:JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-502
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2022-23302

Source: security@apache.org
Type: Mailing List, Third Party Advisory
security@apache.org

Source: XF
Type: UNKNOWN
apache-cve202223302-code-exec(217460)

Source: security@apache.org
Type: Mailing List, Mitigation, Vendor Advisory
security@apache.org

Source: CCN
Type: Apache Web site
Apache log4j 1.2

Source: security@apache.org
Type: Vendor Advisory
security@apache.org

Source: CCN
Type: oss-sec Mailing List, Tue, 18 Jan 2022 14:42:17 +0000
CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x

Source: security@apache.org
Type: Third Party Advisory
security@apache.org

Source: CCN
Type: IBM Security Bulletin 6550822 (Db2 Web Query for i)
Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6551856 (Netezza Analytics for NPS)
Log4j vulnerabilities affect IBM Netezza Analytics for NPS

Source: CCN
Type: IBM Security Bulletin 6553874 (App Connect for Healthcare)
IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6554466 (Netezza Analytics)
Log4j vulnerabilities affect IBM Netezza Analytics

Source: CCN
Type: IBM Security Bulletin 6557248 (WebSphere Application Server)
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to arbitrary code execution and SQL injection due to Apache Log4j. (CVE-2022-23302, CVE-2022-23307, CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6557384 (Sterling Connect Direct Web Services)
IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6563857 (Tivoli Netcool/OMNIbus)
Due to use of Apache Log4j, IBM Netcool/OMNIbus Probe DSL Factory Framework is vulnerable to arbitrary code execution (CVE-2022-23302, CVE-2022-23307) and SQL injection (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6565009 (Cloud Pak for Data System)
Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0

Source: CCN
Type: IBM Security Bulletin 6565383 (Cloudera Enterprise Data Hub)
Cloudera Data Platform Private Cloud Base with IBM products have log messages vulnerable to arbitrary code execution, denial of service, remote code execution, and SQL injection due to Apache Log4j vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6568675 (Spectrum Discover)
IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses

Source: CCN
Type: IBM Security Bulletin 6568731 (App Connect Enterprise)
IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6569145 (Tivoli Netcool/Impact)
IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6570411 (Sterling Order Management)
Apache Log4j vulnerability

Source: CCN
Type: IBM Security Bulletin 6573955 (Integrated Analytics System)
Vulnerability in Apache Log4j affects IBM Integrated Analytics System.

Source: CCN
Type: IBM Security Bulletin 6584095 (Curam SPM)
Curam Social Program Management is vulnerable to arbitrary code execution and SQL injection issues due to Apache Log4j (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307)

Source: CCN
Type: IBM Security Bulletin 6585004 (CCA for MTM 4767 for Linux x64)
Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE 2021-4104, CVE 2022-23302, CVE 2022-23305, CVE 2022-23307)

Source: CCN
Type: IBM Security Bulletin 6590835 (Cloud Pak System)
Multiple vulnerabilities in Apache Log4j affect IBM Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6591309 (Cognos Controller)
IBM Cognos Controller is affected but not vulnerable to arbitrary code execution and SQL injection due to Apache Log4j v1 vulnerabilities (CVE-2022-23305, CVE-2022-23302, CVE-2021-4104)

Source: CCN
Type: IBM Security Bulletin 6591351 (Telco Network Cloud Manager)
IBM Telco Network Cloud Manager - Performance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6600097 (OpenPages with Watson)
IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6606293 (Cloud Pak for Multicloud Management)
IBM Cloud Pak for Multicloud Management Monitoring is potentially vulnerable to execution of arbitrary code due to its use of Apache Log4j (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6606605 (Log Analysis)
Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics - Log Analysis

Source: CCN
Type: IBM Security Bulletin 6610084 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including remote code execution in Apache Log4j 1.x

Source: CCN
Type: IBM Security Bulletin 6829357 (InfoSphere Information Server)
IBM InfoSphere Information Server may be affected by vulnerabilities in Apache log4j 1.x version

Source: CCN
Type: IBM Security Bulletin 6830271 (Operations Analytics Predictive Insights)
IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6830971 (Sterling Order Management)
IBM Sterling Order Management migration strategy to Apache Log4j vulnerability (see CVEs below)

Source: CCN
Type: IBM Security Bulletin 6848225 (Netcool Operations Insight)
Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities.

Source: security@apache.org
Type: Patch, Third Party Advisory
security@apache.org

Source: security@apache.org
Type: Patch, Third Party Advisory
security@apache.org

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*
    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*
    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*
    • Configuration RedHat 8:
  • cpe:/o:redhat:rhel_els:6:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:log4j:1.2:-:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:21.0.0.12:*:*:*:liberty:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8038
    P
    		log4j12-javadoc-1.2.17-4.9.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7714
    P
    		log4j12-1.2.17-4.9.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3121
    P
    		krb5-appl-clients-1.0.3-1.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3407
    P
    		xorg-x11-libs-7.6-45.14 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94751
    P
    		log4j12-1.2.17-4.9.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95037
    P
    		log4j12-javadoc-1.2.17-4.9.1 on GA media (Moderate)
    2022-06-22
    oval:com.redhat.rhsa:def:20220442
    P
    		RHSA-2022:0442: log4j security update (Important)
    2022-02-07
    oval:org.opensuse.security:def:119100
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:94457
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:922
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:93822
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:100743
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:119240
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:1184
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:118745
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:94036
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:101614
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:119430
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:100071
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:118935
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:94248
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:101845
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:119615
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:100409
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:125736
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:6076
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:126902
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:127299
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:5278
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:com.redhat.rhsa:def:20220290
    P
    		RHSA-2022:0290: parfait:0.5 security update (Important)
    2022-01-26
    BACK
    apache log4j 1.2 -
    ibm websphere application server 7.0
    ibm websphere application server 8.0
    ibm websphere application server 8.5
    ibm tivoli netcool/impact 7.1.0
    ibm tivoli netcool/omnibus 8.1.0
    ibm websphere application server 9.0
    ibm operations analytics predictive insights 1.3.3
    ibm operations analytics predictive insights 1.3.5
    ibm operations analytics predictive insights 1.3.6
    ibm infosphere information server 11.7
    ibm app connect 11.0.0.0
    ibm cognos controller 10.4.0
    ibm cognos controller 10.4.1
    ibm cloud pak system 2.3
    ibm cloud pak system 2.3.0.1
    ibm websphere application server 17.0.0.3
    ibm cloud pak system 2.3.1.1
    ibm cloud pak system 2.3.2.0
    ibm cognos controller 10.4.2
    ibm cloud pak system 2.3.3.1
    ibm cloud pak system 2.3.3.2
    ibm cloud pak system 2.3.3.3
    ibm integration bus 10.0.0.6
    ibm websphere application server 21.0.0.12