1. Home
  2. Vulnerabilities
  3. CVE-2022-23302

CVE-2022-23302

CVSS v3.1 8.8 (High)
88% Progress
CVSS v2.0 6 (Medium)
60% Progress
EPSS 0.54 % (78th)
0.54% Progress
Affected Products 26
Advisories 20
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Weaknesses
CWE-502
Deserialization of Untrusted Data
Related CVEs
CVE Status
PUBLISHED
CNA
Apache Software Foundation
Published Date
2022-01-18 16:15:08
(2 years ago)
Updated Date
2023-02-24 15:30:46
(19 months ago)

Affected Products

Apache

Broadcom

Netapp

Oracle

Qos

Configuration #1

    CPE23 From Up To
  Apache Log4j from 1.0.1 version and 1.2.17 and prior versions cpe:2.3:a:apache:log4j >= 1.0.1 <= 1.2.17

Configuration #2

    CPE23 From Up To
  Netapp Snapmanager for Oracle cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle
  Netapp Snapmanager for Sap cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap

Configuration #3

    CPE23 From Up To
  Broadcom Brocade Sannav cpe:2.3:a:broadcom:brocade_sannav:-

Configuration #4

    CPE23 From Up To
  Qos Reload4j prior 1.2.18.1 version cpe:2.3:a:qos:reload4j < 1.2.18.1

Configuration #5

    CPE23 From Up To
  Oracle Advanced Supply Chain Planning 12.1 cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1
  Oracle Advanced Supply Chain Planning 12.2 cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2
  Oracle Business Intelligence 5.9.0.0.0 cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise
  Oracle Business Intelligence 12.2.1.3.0 cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise
  Oracle Business Intelligence 12.2.1.4.0 cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise
  Oracle Business Process Management Suite 12.2.1.3.0 cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0
  Oracle Business Process Management Suite 12.2.1.4.0 cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0
  Oracle Communications Eagle Ftp Table Base Retrieval 4.5 cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5
  Oracle Communications Instant Messaging Server 10.0.1.5.0 cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0
  Oracle Communications Messaging Server 8.1 cpe:2.3:a:oracle:communications_messaging_server:8.1
  Oracle Communications Network Integrity 7.3.6 cpe:2.3:a:oracle:communications_network_integrity:7.3.6
  Oracle Communications Offline Mediation Controller prior 12.0.0.4.4 version cpe:2.3:a:oracle:communications_offline_mediation_controller < 12.0.0.4.4
  Oracle Communications Offline Mediation Controller 12.0.0.5.0 cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0
  Oracle Communications Unified Inventory Management 7.4.1 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1
  Oracle Communications Unified Inventory Management 7.4.2 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2
  Oracle E-business Suite Cloud Manager And Cloud Backup Module prior 2.2.1.1.1 version cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module < 2.2.1.1.1
  Oracle E-business Suite Cloud Manager And Cloud Backup Module 2.2.1.1.1 cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1
  Oracle Enterprise Manager Base Platform 13.4.0.0 cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0
  Oracle Enterprise Manager Base Platform 13.5.0.0 cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0
  Oracle Financial Services Revenue Management And Billing Analytics 2.7.0.0 cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0
  Oracle Financial Services Revenue Management And Billing Analytics 2.7.0.1 cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1
  Oracle Financial Services Revenue Management And Billing Analytics 2.8.0.0 cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0
  Oracle Healthcare Foundation 8.1.0 cpe:2.3:a:oracle:healthcare_foundation:8.1.0
  Oracle Hyperion Data Relationship Management prior 11.2.8.0 version cpe:2.3:a:oracle:hyperion_data_relationship_management < 11.2.8.0
  Oracle Hyperion Infrastructure Technology prior 11.2.8.0 version cpe:2.3:a:oracle:hyperion_infrastructure_technology < 11.2.8.0
  Oracle Identity Management Suite 12.2.1.3.0 cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0
  Oracle Identity Management Suite 12.2.1.4.0 cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0
  Oracle Identity Manager Connector 11.1.1.5.0 cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0
  Oracle Jdeveloper 12.2.1.3.0 cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0
  Oracle Middleware Common Libraries And Tools 12.2.1.4.0 cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0
  Oracle Mysql Enterprise Monitor 8.0.29 and prior versions cpe:2.3:a:oracle:mysql_enterprise_monitor <= 8.0.29
  Oracle Tuxedo 12.2.2.0.0 cpe:2.3:a:oracle:tuxedo:12.2.2.0.0
  Oracle Weblogic Server 12.2.1.3.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0
  Oracle Weblogic Server 12.2.1.4.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0
  Oracle Weblogic Server 14.1.1.0.0 cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0