CVE-2022-23302 The IMSSink Log4j vulnerability is a deserialization vulnerability when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to.

CVE-2022-23302 The IMSSink Log4j vulnerability is a deserialization vulnerability when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to.

Apache Log4j 2.x does not have this issue, but if upgrading from Apache Log4j 1.x, make sure to disable the use of LDAP for connection pooling. Apache Activemq 5.x does not have this issue. Apache ActiveMQ 6.0 is vulnerable. Apache ActiveMQ 7.0 is not vulnerable. Apache ActiveMQ 8.0 is vulnerable. Apache ActiveMQ 9.0 is not vulnerable. Apache ActiveMQ 10.0 is not vulnerable. Apache ActiveMQ 10.1 is vulnerable. Apache ActiveMQ 10.2 is not vulnerable. Apache ActiveMQ 11.0 is not vulnerable. Apache ActiveMQ 12.0 is not vulnerable. Apache ActiveMQ 13.0 is vulnerable. Apache ActiveMQ 14.0 is vulnerable. Apache ActiveMQ 15.0 is not vulnerable. Apache ActiveMQ 16.0 is not vulnerable. Apache ActiveMQ 17.0 is vulnerable. Apache ActiveMQ 18.0 is vulnerable. Apache ActiveMQ 19.0 is not vulnerable. Apache ActiveMQ 20.0 is not vulnerable. Apache ActiveMQ 21.0 is not vulnerable. Apache ActiveMQ 22.0 is not vulnerable. Apache ActiveMQ 23.0 is not vulnerable. Apache ActiveMQ 24.0 is not vulnerable. Apache ActiveMQ 25.0 is not vulnerable. Apache ActiveMQ 26.0 is not vulnerable. Apache ActiveMQ 27.0 is vulnerable. Apache ActiveMQ 28.0 is not vulnerable. Apache ActiveMQ 29.0

What is Apache ActiveMQ?

Apache ActiveMQ (formerly known as Apache JMS) is a Java Message Service 2.0 compliant client-server application for message-oriented middleware. It provides a high-performance, open source and standards-compliant enterprise messaging platform with support for asynchronous, point-to-point and topic messaging. The core functionality of the product is based on the Apache OpenMQ project.
The log4j2 log4j2asynchrotocol module does not have this issue but it was introduced in Log4j 2.3 which is vulnerable to the CVE. However, if upgrading from Apache Log4j 1.x, make sure to disable the use of LDAP for connection pooling before enabling these features in Log4j 2.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe