csaf_redhat - rhsa-2022

rhsa-2022_0448

Vulnerability from csaf_redhat

Published

2022-02-07 13:54

Modified

2024-09-16 07:09

Summary

Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 8

Notes

Topic

New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.5.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * undertow: client side invocation timeout raised when calling over HTTP and HTTP2 (CVE-2021-3859) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302) * log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305) * log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: client side invocation timeout raised when calling over HTTP and\nHTTP2 (CVE-2021-3859)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use\nJDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:0448",
        "url": "https://access.redhat.com/errata/RHSA-2022:0448"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/"
      },
      {
        "category": "external",
        "summary": "2010378",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"
      },
      {
        "category": "external",
        "summary": "2031667",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667"
      },
      {
        "category": "external",
        "summary": "2041949",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949"
      },
      {
        "category": "external",
        "summary": "2041959",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959"
      },
      {
        "category": "external",
        "summary": "2041967",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967"
      },
      {
        "category": "external",
        "summary": "CIAM-1976",
        "url": "https://issues.redhat.com/browse/CIAM-1976"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2022/rhsa-2022_0448.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 8",
    "tracking": {
      "current_release_date": "2024-09-16T07:09:21+00:00",
      "generator": {
        "date": "2024-09-16T07:09:21+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2022:0448",
      "initial_release_date": "2022-02-07T13:54:48+00:00",
      "revision_history": [
        {
          "date": "2022-02-07T13:54:48+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-02-07T13:54:48+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-16T07:09:21+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Single Sign-On 7.5 for RHEL 8",
                "product": {
                  "name": "Red Hat Single Sign-On 7.5 for RHEL 8",
                  "product_id": "8Base-RHSSO-7.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Single Sign-On"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
                "product": {
                  "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
                  "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
                "product": {
                  "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
                  "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
                "product": {
                  "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
                  "product_id": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.4-1.redhat_00003.1.el8sso?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8",
          "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
        },
        "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
        "relates_to_product_reference": "8Base-RHSSO-7.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 8",
          "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src"
        },
        "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
        "relates_to_product_reference": "8Base-RHSSO-7.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8",
          "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
        },
        "product_reference": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
        "relates_to_product_reference": "8Base-RHSSO-7.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-3859",
      "cwe": {
        "id": "CWE-214",
        "name": "Invocation of Process Using Visible Sensitive Information"
      },
      "discovery_date": "2021-09-05T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2010378"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: client side invocation timeout raised when calling over HTTP2",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
          "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
          "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-3859"
        },
        {
          "category": "external",
          "summary": "RHBZ#2010378",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859"
        }
      ],
      "release_date": "2022-02-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:0448"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undertow: client side invocation timeout raised when calling over HTTP2"
    },
    {
      "cve": "CVE-2021-4104",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2021-12-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2031667"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
          "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
          "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
        },
        {
          "category": "external",
          "summary": "RHBZ#2031667",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126",
          "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301",
          "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx",
          "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1",
          "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1"
        }
      ],
      "release_date": "2021-12-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:0448"
        },
        {
          "category": "workaround",
          "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.",
          "product_ids": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender"
    },
    {
      "cve": "CVE-2022-23302",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2022-01-18T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2041949"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
          "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
          "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-23302"
        },
        {
          "category": "external",
          "summary": "RHBZ#2041949",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3",
          "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3"
        }
      ],
      "release_date": "2022-01-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:0448"
        },
        {
          "category": "workaround",
          "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.",
          "product_ids": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink"
    },
    {
      "cve": "CVE-2022-23305",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
      },
      "discovery_date": "2022-01-18T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2041959"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
          "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
          "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-23305"
        },
        {
          "category": "external",
          "summary": "RHBZ#2041959",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4",
          "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4"
        }
      ],
      "release_date": "2022-01-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:0448"
        },
        {
          "category": "workaround",
          "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```",
          "product_ids": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender"
    },
    {
      "cve": "CVE-2022-23307",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2022-01-18T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2041967"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
          "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
          "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-23307"
        },
        {
          "category": "external",
          "summary": "RHBZ#2041967",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5",
          "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5"
        }
      ],
      "release_date": "2022-01-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:0448"
        },
        {
          "category": "workaround",
          "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)",
          "product_ids": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src",
            "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer"
    }
  ]
}

cve-2021-3859

Vulnerability from cvelistv5

Published

2022-08-26 00:00

Modified

2024-08-03 17:09

Severity

Summary

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

References

URL	Tags
https://bugzilla.redhat.com/show_bug.cgi?id=2010378
https://issues.redhat.com/browse/UNDERTOW-1979
https://github.com/undertow-io/undertow/pull/1296
https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2
https://access.redhat.com/security/cve/CVE-2021-3859
https://security.netapp.com/advisory/ntap-20221201-0004/

Impacted products

Vendor	Product
n/a	undertow

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:09:09.581Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://issues.redhat.com/browse/UNDERTOW-1979"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/undertow-io/undertow/pull/1296"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2021-3859"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221201-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in 2.2.15.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-214",
              "description": "CWE-214 - Invocation of Process Using Visible Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-02T00:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"
        },
        {
          "url": "https://issues.redhat.com/browse/UNDERTOW-1979"
        },
        {
          "url": "https://github.com/undertow-io/undertow/pull/1296"
        },
        {
          "url": "https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2021-3859"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221201-0004/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3859",
    "datePublished": "2022-08-26T00:00:00",
    "dateReserved": "2021-10-05T00:00:00",
    "dateUpdated": "2024-08-03T17:09:09.581Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-23305

Vulnerability from cvelistv5

Published

2022-01-18 15:25

Modified

2024-08-03 03:36

Severity

Summary

SQL injection in JDBC Appender in Apache Log4j V1

References

URL	Tags
https://logging.apache.org/log4j/1.2/index.html	x_refsource_MISC
https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/01/18/4	mailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220217-0007/	x_refsource_CONFIRM
https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

Vendor	Product
Apache Software Foundation	Apache Log4j 1.x

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:36:20.421Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://logging.apache.org/log4j/1.2/index.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y"
          },
          {
            "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220217-0007/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Log4j 1.x ",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "1.2.1",
              "versionType": "custom"
            },
            {
              "lessThan": "2.0-alpha1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Daniel Martin of NCC Group"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "high"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:49:18",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://logging.apache.org/log4j/1.2/index.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y"
        },
        {
          "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220217-0007/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "SQL injection in JDBC Appender in Apache Log4j V1",
      "workarounds": [
        {
          "lang": "en",
          "value": "Users should upgrade to Log4j 2 or remove usage of the JDBCAppender from their configurations."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-23305",
          "STATE": "PUBLIC",
          "TITLE": "SQL injection in JDBC Appender in Apache Log4j V1"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Log4j 1.x ",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "1.2.1"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.0-alpha1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Daniel Martin of NCC Group"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "high"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://logging.apache.org/log4j/1.2/index.html",
              "refsource": "MISC",
              "url": "https://logging.apache.org/log4j/1.2/index.html"
            },
            {
              "name": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y"
            },
            {
              "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220217-0007/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220217-0007/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Users should upgrade to Log4j 2 or remove usage of the JDBCAppender from their configurations."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-23305",
    "datePublished": "2022-01-18T15:25:22",
    "dateReserved": "2022-01-17T00:00:00",
    "dateUpdated": "2024-08-03T03:36:20.421Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-23307

Vulnerability from cvelistv5

Published

2022-01-18 15:25

Modified

2024-08-03 03:36

Severity

Summary

A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.

References

URL	Tags
https://logging.apache.org/log4j/1.2/index.html	x_refsource_MISC
https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh	x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

Vendor	Product
Apache Software Foundation	Apache Log4j 1.x

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:36:20.396Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://logging.apache.org/log4j/1.2/index.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Log4j 1.x",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "1.2.1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.0-alpha1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "@kingkk"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "Critical"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:49:30",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://logging.apache.org/log4j/1.2/index.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": " A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-23307",
          "STATE": "PUBLIC",
          "TITLE": " A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution."
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Log4j 1.x",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "1.2.1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.0-alpha1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "@kingkk"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "Critical"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-502 Deserialization of Untrusted Data"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://logging.apache.org/log4j/1.2/index.html",
              "refsource": "MISC",
              "url": "https://logging.apache.org/log4j/1.2/index.html"
            },
            {
              "name": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-23307",
    "datePublished": "2022-01-18T15:25:23",
    "dateReserved": "2022-01-17T00:00:00",
    "dateUpdated": "2024-08-03T03:36:20.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-23302

Vulnerability from cvelistv5

Published

2022-01-18 15:25

Modified

2024-08-03 03:36

Severity

Summary

Deserialization of untrusted data in JMSSink in Apache Log4j 1.x

References

URL	Tags
https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w	x_refsource_MISC
https://logging.apache.org/log4j/1.2/index.html	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/01/18/3	mailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220217-0006/	x_refsource_CONFIRM
https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

Vendor	Product
Apache Software Foundation	Apache Log4j 1.x

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:36:20.336Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://logging.apache.org/log4j/1.2/index.html"
          },
          {
            "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220217-0006/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Log4j 1.x",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "1.0.1",
              "versionType": "custom"
            },
            {
              "lessThan": "2.0-alpha1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Eduardo\u0027 Vela, Maksim Shudrak and Jacob Butler from Google."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "high"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:49:03",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://logging.apache.org/log4j/1.2/index.html"
        },
        {
          "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220217-0006/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
      "workarounds": [
        {
          "lang": "en",
          "value": "Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-23302",
          "STATE": "PUBLIC",
          "TITLE": "Deserialization of untrusted data in JMSSink in Apache Log4j 1.x"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Log4j 1.x",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "1.0.1"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.0-alpha1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Eduardo\u0027 Vela, Maksim Shudrak and Jacob Butler from Google."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "high"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-502 Deserialization of Untrusted Data"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w"
            },
            {
              "name": "https://logging.apache.org/log4j/1.2/index.html",
              "refsource": "MISC",
              "url": "https://logging.apache.org/log4j/1.2/index.html"
            },
            {
              "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220217-0006/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220217-0006/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-23302",
    "datePublished": "2022-01-18T15:25:20",
    "dateReserved": "2022-01-16T00:00:00",
    "dateUpdated": "2024-08-03T03:36:20.336Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-4104

Vulnerability from cvelistv5

Published

2021-12-14 00:00

Modified

2024-08-03 17:16

Severity

Summary

Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

References

URL	Tags
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
https://access.redhat.com/security/cve/CVE-2021-4104
https://www.kb.cert.org/vuls/id/930724	third-party-advisory
http://www.openwall.com/lists/oss-security/2022/01/18/3	mailing-list
https://www.oracle.com/security-alerts/cpujan2022.html
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
https://security.netapp.com/advisory/ntap-20211223-0007/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://security.gentoo.org/glsa/202209-02	vendor-advisory
https://security.gentoo.org/glsa/202310-16	vendor-advisory
https://security.gentoo.org/glsa/202312-02	vendor-advisory
https://security.gentoo.org/glsa/202312-04	vendor-advisory

Impacted products

Vendor	Product
Apache Software Foundation	Apache Log4j 1.x

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:16:04.172Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
          },
          {
            "name": "VU#930724",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/930724"
          },
          {
            "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "name": "GLSA-202209-02",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202209-02"
          },
          {
            "name": "GLSA-202310-16",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202310-16"
          },
          {
            "name": "GLSA-202312-02",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202312-02"
          },
          {
            "name": "GLSA-202312-04",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202312-04"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Log4j 1.x",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Log4j 1.2 1.2.x"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-22T09:06:15.357899",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
        },
        {
          "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
        },
        {
          "name": "VU#930724",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.kb.cert.org/vuls/id/930724"
        },
        {
          "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "name": "GLSA-202209-02",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202209-02"
        },
        {
          "name": "GLSA-202310-16",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202310-16"
        },
        {
          "name": "GLSA-202312-02",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202312-02"
        },
        {
          "name": "GLSA-202312-04",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202312-04"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-4104",
    "datePublished": "2021-12-14T00:00:00",
    "dateReserved": "2021-12-13T00:00:00",
    "dateUpdated": "2024-08-03T17:16:04.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

rhsa-2022_0448

Vulnerability from csaf_redhat

cve-2021-3859

Vulnerability from cvelistv5

cve-2022-23305

Vulnerability from cvelistv5

cve-2022-23307

Vulnerability from cvelistv5

cve-2022-23302

Vulnerability from cvelistv5

cve-2021-4104

Vulnerability from cvelistv5

Tags