Bug 2041959 (CVE-2022-23305) - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
Summary: CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configur...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-23305
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2042109 2042110 2042111 2042112 2042113 2042114 2042115 2042116 2042117 2042118 2042119 2042120 2042121 2042122 2042123 2042124 2042125 2042126 2042127 2042128 2042129 2042130 2042131 2042132 2042133 2042134 2042135 2042136 2042254 2042255 2042344 2042713 2042923 2042924 2042925 2042926 2042927 2042928 2042929 2042930 2042931 2048758 2048759
Blocks: 2041943
TreeView+ depends on / blocked
 
Reported: 2022-01-18 15:48 UTC by Michael Kaplan
Modified: 2025-04-04 14:07 UTC (History)
129 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2022-01-26 15:31:52 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:0680 0 None None None 2022-02-24 21:15:46 UTC
Red Hat Product Errata RHBA-2022:0802 0 None None None 2022-03-09 14:10:42 UTC
Red Hat Product Errata RHSA-2022:0289 0 None None None 2022-01-26 14:52:33 UTC
Red Hat Product Errata RHSA-2022:0290 0 None None None 2022-01-26 14:50:13 UTC
Red Hat Product Errata RHSA-2022:0291 0 None None None 2022-01-26 14:51:29 UTC
Red Hat Product Errata RHSA-2022:0294 0 None None None 2022-01-26 14:46:30 UTC
Red Hat Product Errata RHSA-2022:0430 0 None None None 2022-02-03 14:04:54 UTC
Red Hat Product Errata RHSA-2022:0435 0 None None None 2022-02-03 18:24:29 UTC
Red Hat Product Errata RHSA-2022:0436 0 None None None 2022-02-03 18:31:07 UTC
Red Hat Product Errata RHSA-2022:0437 0 None None None 2022-02-03 18:44:55 UTC
Red Hat Product Errata RHSA-2022:0438 0 None None None 2022-02-03 18:50:10 UTC
Red Hat Product Errata RHSA-2022:0439 0 None None None 2022-02-03 19:06:59 UTC
Red Hat Product Errata RHSA-2022:0442 0 None None None 2022-02-07 10:44:18 UTC
Red Hat Product Errata RHSA-2022:0444 0 None None None 2022-02-07 13:42:21 UTC
Red Hat Product Errata RHSA-2022:0445 0 None None None 2022-02-07 14:24:01 UTC
Red Hat Product Errata RHSA-2022:0446 0 None None None 2022-02-07 13:44:19 UTC
Red Hat Product Errata RHSA-2022:0447 0 None None None 2022-02-07 13:54:21 UTC
Red Hat Product Errata RHSA-2022:0448 0 None None None 2022-02-07 13:53:04 UTC
Red Hat Product Errata RHSA-2022:0449 0 None None None 2022-02-07 13:49:06 UTC
Red Hat Product Errata RHSA-2022:0450 0 None Closed [bug] Router doesn't show anymore in 'ovn-nbctl' 2022-04-19 08:31:43 UTC
Red Hat Product Errata RHSA-2022:0467 0 None None None 2022-02-08 12:53:06 UTC
Red Hat Product Errata RHSA-2022:0469 0 None None None 2022-02-08 13:57:08 UTC
Red Hat Product Errata RHSA-2022:0475 0 None None None 2022-02-08 16:57:37 UTC
Red Hat Product Errata RHSA-2022:0497 0 None None None 2022-02-09 13:11:31 UTC
Red Hat Product Errata RHSA-2022:0507 0 None None None 2022-02-10 17:27:06 UTC
Red Hat Product Errata RHSA-2022:0524 0 None None None 2022-02-14 17:07:28 UTC
Red Hat Product Errata RHSA-2022:0527 0 None None None 2022-02-14 17:31:47 UTC
Red Hat Product Errata RHSA-2022:0553 0 None None None 2022-02-15 18:55:02 UTC
Red Hat Product Errata RHSA-2022:0661 0 None None None 2022-02-23 20:01:13 UTC
Red Hat Product Errata RHSA-2022:1296 0 None None None 2022-04-11 12:57:07 UTC
Red Hat Product Errata RHSA-2022:1297 0 None None None 2022-04-11 12:58:36 UTC
Red Hat Product Errata RHSA-2022:1299 0 None None None 2022-04-11 13:01:21 UTC
Red Hat Product Errata RHSA-2022:5458 0 None None None 2022-06-30 18:34:58 UTC
Red Hat Product Errata RHSA-2022:5459 0 None None None 2022-06-30 18:56:41 UTC
Red Hat Product Errata RHSA-2022:5460 0 None None None 2022-06-30 19:11:37 UTC
Red Hat Product Errata RHSA-2024:10207 0 None None None 2024-11-25 00:12:30 UTC
Red Hat Product Errata RHSA-2024:5856 0 None None None 2024-08-26 11:05:12 UTC

Description Michael Kaplan 2022-01-18 15:48:34 UTC 
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converted from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs.

References: 

https://www.openwall.com/lists/oss-security/2022/01/18/4
Comment 2 juneau 2022-01-18 17:52:32 UTC 
Marking /services "notaffected" per previous analysis/remediation.
Comment 26 errata-xmlrpc 2022-01-26 14:46:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0294 https://access.redhat.com/errata/RHSA-2022:0294
Comment 27 errata-xmlrpc 2022-01-26 14:50:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0290 https://access.redhat.com/errata/RHSA-2022:0290
Comment 28 errata-xmlrpc 2022-01-26 14:51:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0291 https://access.redhat.com/errata/RHSA-2022:0291
Comment 29 errata-xmlrpc 2022-01-26 14:52:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0289 https://access.redhat.com/errata/RHSA-2022:0289
Comment 30 Product Security DevOps Team 2022-01-26 15:31:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23305
Comment 32 errata-xmlrpc 2022-02-03 14:04:47 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.9

Via RHSA-2022:0430 https://access.redhat.com/errata/RHSA-2022:0430
Comment 33 errata-xmlrpc 2022-02-03 18:24:22 UTC 
This issue has been addressed in the following products:

  EAP 7.4 log4j async

Via RHSA-2022:0435 https://access.redhat.com/errata/RHSA-2022:0435
Comment 34 errata-xmlrpc 2022-02-03 18:31:00 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:0436 https://access.redhat.com/errata/RHSA-2022:0436
Comment 35 errata-xmlrpc 2022-02-03 18:44:48 UTC 
This issue has been addressed in the following products:

  EAP 6.4 log4j async

Via RHSA-2022:0437 https://access.redhat.com/errata/RHSA-2022:0437
Comment 36 errata-xmlrpc 2022-02-03 18:50:04 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2022:0438 https://access.redhat.com/errata/RHSA-2022:0438
Comment 37 errata-xmlrpc 2022-02-03 19:06:52 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0439 https://access.redhat.com/errata/RHSA-2022:0439
Comment 38 errata-xmlrpc 2022-02-07 10:44:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support
  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:0442 https://access.redhat.com/errata/RHSA-2022:0442
Comment 39 errata-xmlrpc 2022-02-07 13:42:12 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0444 https://access.redhat.com/errata/RHSA-2022:0444
Comment 40 errata-xmlrpc 2022-02-07 13:44:13 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.10

Via RHSA-2022:0446 https://access.redhat.com/errata/RHSA-2022:0446
Comment 41 errata-xmlrpc 2022-02-07 13:48:59 UTC 
This issue has been addressed in the following products:

  RHSSO 7.5.1

Via RHSA-2022:0449 https://access.redhat.com/errata/RHSA-2022:0449
Comment 42 errata-xmlrpc 2022-02-07 13:52:57 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:0448 https://access.redhat.com/errata/RHSA-2022:0448
Comment 43 errata-xmlrpc 2022-02-07 13:54:14 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:0447 https://access.redhat.com/errata/RHSA-2022:0447
Comment 44 errata-xmlrpc 2022-02-07 14:23:55 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0445 https://access.redhat.com/errata/RHSA-2022:0445
Comment 45 errata-xmlrpc 2022-02-07 14:48:22 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0450 https://access.redhat.com/errata/RHSA-2022:0450
Comment 46 errata-xmlrpc 2022-02-08 12:53:00 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 1.6.7

Via RHSA-2022:0467 https://access.redhat.com/errata/RHSA-2022:0467
Comment 47 errata-xmlrpc 2022-02-08 13:57:00 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.0.1

Via RHSA-2022:0469 https://access.redhat.com/errata/RHSA-2022:0469
Comment 48 errata-xmlrpc 2022-02-08 16:57:30 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:0475 https://access.redhat.com/errata/RHSA-2022:0475
Comment 49 errata-xmlrpc 2022-02-09 13:11:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP1

Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497
Comment 50 errata-xmlrpc 2022-02-10 17:26:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP2

Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507
Comment 51 errata-xmlrpc 2022-02-14 17:07:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2022:0524 https://access.redhat.com/errata/RHSA-2022:0524
Comment 52 errata-xmlrpc 2022-02-14 17:31:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2022:0527 https://access.redhat.com/errata/RHSA-2022:0527
Comment 53 errata-xmlrpc 2022-02-15 18:54:55 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse/AMQ 6.3.20

Via RHSA-2022:0553 https://access.redhat.com/errata/RHSA-2022:0553
Comment 54 errata-xmlrpc 2022-02-23 20:01:06 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10.1

Via RHSA-2022:0661 https://access.redhat.com/errata/RHSA-2022:0661
Comment 55 errata-xmlrpc 2022-04-11 12:57:00 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296
Comment 56 errata-xmlrpc 2022-04-11 12:58:30 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297
Comment 57 errata-xmlrpc 2022-04-11 13:01:14 UTC 
This issue has been addressed in the following products:

  EAP 7.4.4 release

Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299
Comment 62 errata-xmlrpc 2022-06-30 18:34:52 UTC 
This issue has been addressed in the following products:

  EAP 6.4.24 release

Via RHSA-2022:5458 https://access.redhat.com/errata/RHSA-2022:5458
Comment 63 errata-xmlrpc 2022-06-30 18:56:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2022:5459 https://access.redhat.com/errata/RHSA-2022:5459
Comment 64 errata-xmlrpc 2022-06-30 19:11:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2022:5460 https://access.redhat.com/errata/RHSA-2022:5460
Comment 65 errata-xmlrpc 2024-08-26 11:05:04 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7

Via RHSA-2024:5856 https://access.redhat.com/errata/RHSA-2024:5856
Comment 66 errata-xmlrpc 2024-11-25 00:12:22 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7

Via RHSA-2024:10207 https://access.redhat.com/errata/RHSA-2024:10207
Note You need to log in before you can comment on or make changes to this bug.