CVE-2022-23305 The JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter. The message converter, %m, is always included.

CVE-2022-23305 The JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter. The message converter, %m, is always included.

The Log4j default appender, the ConsoleAppender, has a security vulnerability which can be exploited to execute arbitrary code on the server. The issue is due to the lack of input sanitization by default. This could result in a remote attacker sending an email which, when viewed with the ConsoleAppender, could execute arbitrary code on the server. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Description of Apache Log4j 2

Log4j 2 is a logging library for Java. It is designed with performance in mind and offers many features that are not available in the previous versions of Log4j.

Apache Log4j 1.2 – A weakness in the default appender

The default appender in Apache Log4j is the ConsoleAppender. Apache Log4j 1.2 reached end of life in August 2015 and users should upgrade to Log4j 2 as it addresses numerous other issues from previous versions. One of the security vulnerabilities in this release was a weakness in the default appender that can be exploited by a remote attacker to execute arbitrary code on the server. This issue was due to the lack of input sanitization by default which could result in an email that when viewed with this appender, could execute arbitrary code on the server.

Apache Log4j 1.2

Security Vulnerability
The Log4j 1.2 security vulnerability affects the Apache log4j application. The issue is due to the lack of input sanitization by default. This could result in a remote attacker sending an email which, when viewed with the ConsoleAppender, could execute arbitrary code on the server. If you are still using Apache Log4j 1.2, you should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions and is supported by Apache Software Foundation for another 3 years.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe