Vulnerability CVE-2022-23302 - CERT Civis.Net

Vulnerability Name:

CVE-2022-23302 (CCN-217460)

Assigned:

2022-01-18

Published:

2022-01-18

Updated:

2022-07-25

Summary:

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS v3 Severity:

8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.8 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2022-23302

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x

Source: XF
Type: UNKNOWN
apache-cve202223302-code-exec(217460)

Source: MISC
Type: Mailing List, Mitigation, Vendor Advisory
https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w

Source: CCN
Type: Apache Web site
Apache log4j 1.2

Source: MISC
Type: Vendor Advisory
https://logging.apache.org/log4j/1.2/index.html

Source: CCN
Type: oss-sec Mailing List, Tue, 18 Jan 2022 14:42:17 +0000
CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220217-0006/

Source: CCN
Type: IBM Security Bulletin 6550822 (Db2 Web Query for i)
Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6551856 (Netezza Analytics for NPS)
Log4j vulnerabilities affect IBM Netezza Analytics for NPS

Source: CCN
Type: IBM Security Bulletin 6553874 (App Connect for Healthcare)
IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6554466 (Netezza Analytics)
Log4j vulnerabilities affect IBM Netezza Analytics

Source: CCN
Type: IBM Security Bulletin 6557248 (WebSphere Application Server)
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to arbitrary code execution and SQL injection due to Apache Log4j. (CVE-2022-23302, CVE-2022-23307, CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6557384 (Sterling Connect Direct Web Services)
IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6563857 (Tivoli Netcool/OMNIbus)
Due to use of Apache Log4j, IBM Netcool/OMNIbus Probe DSL Factory Framework is vulnerable to arbitrary code execution (CVE-2022-23302, CVE-2022-23307) and SQL injection (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6565009 (Cloud Pak for Data System)
Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0

Source: CCN
Type: IBM Security Bulletin 6565383 (Cloudera Enterprise Data Hub)
Cloudera Data Platform Private Cloud Base with IBM products have log messages vulnerable to arbitrary code execution, denial of service, remote code execution, and SQL injection due to Apache Log4j vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6568675 (Spectrum Discover)
IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses

Source: CCN
Type: IBM Security Bulletin 6568731 (App Connect Enterprise)
IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6569145 (Tivoli Netcool/Impact)
IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6570411 (Sterling Order Management)
Apache Log4j vulnerability

Source: CCN
Type: IBM Security Bulletin 6573955 (Integrated Analytics System)
Vulnerability in Apache Log4j affects IBM Integrated Analytics System.

Source: CCN
Type: IBM Security Bulletin 6584095 (Curam SPM)
Curam Social Program Management is vulnerable to arbitrary code execution and SQL injection issues due to Apache Log4j (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307)

Source: CCN
Type: IBM Security Bulletin 6585004 (CCA for MTM 4767 for Linux x64)
Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE 2021-4104, CVE 2022-23302, CVE 2022-23305, CVE 2022-23307)

Source: CCN
Type: IBM Security Bulletin 6590835 (Cloud Pak System)
Multiple vulnerabilities in Apache Log4j affect IBM Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6591309 (Cognos Controller)
IBM Cognos Controller is affected but not vulnerable to arbitrary code execution and SQL injection due to Apache Log4j v1 vulnerabilities (CVE-2022-23305, CVE-2022-23302, CVE-2021-4104)

Source: CCN
Type: IBM Security Bulletin 6591351 (Telco Network Cloud Manager)
IBM Telco Network Cloud Manager - Performance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6600097 (OpenPages with Watson)
IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6606293 (Cloud Pak for Multicloud Management)
IBM Cloud Pak for Multicloud Management Monitoring is potentially vulnerable to execution of arbitrary code due to its use of Apache Log4j (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6606605 (Log Analysis)
Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics - Log Analysis

Source: CCN
Type: IBM Security Bulletin 6610084 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including remote code execution in Apache Log4j 1.x

Source: CCN
Type: IBM Security Bulletin 6829357 (InfoSphere Information Server)
IBM InfoSphere Information Server may be affected by vulnerabilities in Apache log4j 1.x version

Source: CCN
Type: IBM Security Bulletin 6830271 (Operations Analytics Predictive Insights)
IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23302)

Source: CCN
Type: IBM Security Bulletin 6830971 (Sterling Order Management)
IBM Sterling Order Management migration strategy to Apache Log4j vulnerability (see CVEs below)

Source: CCN
Type: IBM Security Bulletin 6848225 (Netcool Operations Insight)
Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities.

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: N/A
Type: UNKNOWN
N/A

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:log4j:*:*:*:*:*:*:*:* (Version >= 1.0.1 and <= 1.2.17)

Configuration 2:

cpe:/a:netapp:snapmanager:-:*:*:*:*:oracle:*:*

OR cpe:/a:netapp:snapmanager:-:*:*:*:*:sap:*:*

Configuration 3:

cpe:/a:broadcom:brocade_sannav:-:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:qos:reload4j:*:*:*:*:*:*:*:* (Version < 1.2.18.1)

Configuration 5:

cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*

OR cpe:/a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*

OR cpe:/a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*

OR cpe:/a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*

OR cpe:/a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:* (Version < 11.2.8.0)

OR cpe:/a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* (Version <= 8.0.29)

OR cpe:/a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:* (Version < 11.2.8.0)

OR cpe:/a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:* (Version < 2.2.1.1.1)

OR cpe:/a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration RedHat 8:

cpe:/o:redhat:rhel_els:6:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apache:log4j:1.2:-:*:*:*:*:*:*

AND

cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*

OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:integration_bus:10.0.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:21.0.0.12:*:*:*:liberty:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:94751	P	log4j12-1.2.17-4.9.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95037	P	log4j12-javadoc-1.2.17-4.9.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:3121	P	log4j12-1.2.17-4.9.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:3407	P	log4j12-javadoc-1.2.17-4.9.1 on GA media (Moderate)	2022-06-22
oval:com.redhat.rhsa:def:20220442	P	RHSA-2022:0442: log4j security update (Important)	2022-02-07
oval:org.opensuse.security:def:94457	P	(Important)	2022-01-28
oval:org.opensuse.security:def:922	P	Security update for log4j12 (Important)	2022-01-28
oval:org.opensuse.security:def:93822	P	(Important)	2022-01-28
oval:org.opensuse.security:def:100743	P	(Important)	2022-01-28
oval:org.opensuse.security:def:1184	P	Security update for log4j12 (Important)	2022-01-28
oval:org.opensuse.security:def:94036	P	(Important)	2022-01-28
oval:org.opensuse.security:def:101614	P	Security update for log4j12 (Important)	2022-01-28
oval:org.opensuse.security:def:100071	P	(Important)	2022-01-28
oval:org.opensuse.security:def:94248	P	(Important)	2022-01-28
oval:org.opensuse.security:def:101845	P	Security update for log4j12 (Important)	2022-01-28
oval:org.opensuse.security:def:100409	P	(Important)	2022-01-28
oval:com.redhat.rhsa:def:20220290	P	RHSA-2022:0290: parfait:0.5 security update (Important)	2022-01-26