CVE-2022-23302 vulnerability in Apache and Other Products
Published on January 18, 2022
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Vulnerability Analysis
CVE-2022-23302 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2022-23302 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2022-23302
You can be notified by stack.watch whenever vulnerabilities like CVE-2022-23302 are published in these products:
What versions are vulnerable to CVE-2022-23302?
-
Apache Log4j
Version 1.0.1
through 1.2.17
-
NetApp Snapmanager
Version -
oracle
-
NetApp Snapmanager
Version -
sap
-
Broadcom Brocade Sannav
Version -
-
Qos Reload4j
Fixed in Version 1.2.18.1
-
Oracle Weblogic Server
Version 12.2.1.3.0
-
Oracle Business Intelligence
Version 12.2.1.3.0
-
Oracle Business Process Management Suite
Version 12.2.1.3.0
-
Oracle Jdeveloper
Version 12.2.1.3.0
-
Oracle Identity Management Suite
Version 12.2.1.3.0
-
Oracle Business Intelligence
Version 12.2.1.4.0
-
Oracle Weblogic Server
Version 12.2.1.4.0
-
Oracle Weblogic Server
Version 14.1.1.0.0
-
Oracle Enterprise Manager Base Platform
Version 13.4.0.0
-
Oracle Communications Network Integrity
Version 7.3.6
-
Oracle Business Process Management Suite
Version 12.2.1.4.0
-
Oracle Advanced Supply Chain Planning
Version 12.2
-
Oracle Advanced Supply Chain Planning
Version 12.1
-
Oracle Communications Unified Inventory Management
Version 7.4.1
-
Oracle Enterprise Manager Base Platform
Version 13.5.0.0
-
Oracle Communications Messaging Server
Version 8.1
-
Oracle Business Intelligence
Version 5.9.0.0.0
-
Oracle Healthcare Foundation
Version 8.1.0
-
Oracle Communications Eagle Ftp Table Base Retrieval
Version 4.5
-
Oracle Identity Manager Connector
Version 11.1.1.5.0
-
Oracle Communications Unified Inventory Management
Version 7.4.2
-
Oracle Communications Instant Messaging Server
Version 10.0.1.5.0
-
Oracle Middleware Common Libraries Tools
Version 12.2.1.4.0
-
Oracle Identity Management Suite
Version 12.2.1.4.0
-
Oracle Financial Services Revenue Management Billing Analytics
Version 2.7.0.0
-
Oracle Hyperion Data Relationship Management
Fixed in Version 11.2.8.0
-
Oracle Financial Services Revenue Management Billing Analytics
Version 2.8.0.0
-
Oracle Mysql Enterprise Monitor
Up to Version 8.0.29
-
Oracle Hyperion Infrastructure Technology
Fixed in Version 11.2.8.0
-
Oracle Tuxedo
Version 12.2.2.0.0
-
Oracle E Business Suite Cloud Manager Cloud Backup Module
Fixed in Version 2.2.1.1.1
-
Oracle E Business Suite Cloud Manager Cloud Backup Module
Version 2.2.1.1.1
-
Oracle Financial Services Revenue Management Billing Analytics
Version 2.7.0.1
-
Oracle Communications Offline Mediation Controller
Version 12.0.0.5.0
-
Oracle Communications Offline Mediation Controller
Fixed in Version 12.0.0.4.4