#VU59691 SQL injection in Apache Log4j


Published: 2022-01-18

Vulnerability identifier: #VU59691

Vulnerability risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23305

CWE-ID: CWE-89

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Log4j
Universal components / Libraries / Libraries used by multiple products

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the JDBCAppender. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Note, a non-default configuration with enabled JDBCAppender is required to exploit the vulnerability.

Mitigation
The vulnerability is resolved in Apache Log4j 2.x branch.

Vulnerable software versions

Apache Log4j: 1.2.1 - 1.2.17

External links
http://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y
http://logging.apache.org/log4j/1.2/index.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Sterling Order Management
Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management
Gentoo update for Apache Log4j
Multiple vulnerabilities in Juniper Networks Security Director Insights
Multiple vulnerabilities in IBM QRadar SIEM
Multiple vulnerabilities in Netcool Operations Insight
Multiple vulnerabilities in IBM Security Access Manager for Enterprise Single Sign-On
Multiple vulnerabilities in Dell RecoverPoint Classic
Multiple vulnerabilities in Oracle Utilities Application Framework
Amazon Linux AMI update for log4j