JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. References: https://www.openwall.com/lists/oss-security/2022/01/18/3
Marking /services "notaffected" per previous analysis/remediation.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0294 https://access.redhat.com/errata/RHSA-2022:0294
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0290 https://access.redhat.com/errata/RHSA-2022:0290
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0291 https://access.redhat.com/errata/RHSA-2022:0291
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0289 https://access.redhat.com/errata/RHSA-2022:0289
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-23302
This issue has been addressed in the following products: Red Hat Data Grid 7.3.9 Via RHSA-2022:0430 https://access.redhat.com/errata/RHSA-2022:0430
This issue has been addressed in the following products: EAP 7.4 log4j async Via RHSA-2022:0435 https://access.redhat.com/errata/RHSA-2022:0435
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:0436 https://access.redhat.com/errata/RHSA-2022:0436
This issue has been addressed in the following products: EAP 6.4 log4j async Via RHSA-2022:0437 https://access.redhat.com/errata/RHSA-2022:0437
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2022:0438 https://access.redhat.com/errata/RHSA-2022:0438
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0439 https://access.redhat.com/errata/RHSA-2022:0439
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Red Hat Enterprise Linux 7.7 Advanced Update Support Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Red Hat Enterprise Linux 7.7 Telco Extended Update Support Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2022:0442 https://access.redhat.com/errata/RHSA-2022:0442
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0444 https://access.redhat.com/errata/RHSA-2022:0444
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.10 Via RHSA-2022:0446 https://access.redhat.com/errata/RHSA-2022:0446
This issue has been addressed in the following products: RHSSO 7.5.1 Via RHSA-2022:0449 https://access.redhat.com/errata/RHSA-2022:0449
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:0448 https://access.redhat.com/errata/RHSA-2022:0448
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:0447 https://access.redhat.com/errata/RHSA-2022:0447
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0445 https://access.redhat.com/errata/RHSA-2022:0445
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0450 https://access.redhat.com/errata/RHSA-2022:0450
This issue has been addressed in the following products: Red Hat AMQ Streams 1.6.7 Via RHSA-2022:0467 https://access.redhat.com/errata/RHSA-2022:0467
This issue has been addressed in the following products: Red Hat AMQ Streams 2.0.1 Via RHSA-2022:0469 https://access.redhat.com/errata/RHSA-2022:0469
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:0475 https://access.redhat.com/errata/RHSA-2022:0475
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.4.8.SP1 Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.4.8.SP2 Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2022:0524 https://access.redhat.com/errata/RHSA-2022:0524
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2022:0527 https://access.redhat.com/errata/RHSA-2022:0527
This issue has been addressed in the following products: Red Hat Fuse/AMQ 6.3.20 Via RHSA-2022:0553 https://access.redhat.com/errata/RHSA-2022:0553
This issue has been addressed in the following products: Red Hat Fuse 7.10.1 Via RHSA-2022:0661 https://access.redhat.com/errata/RHSA-2022:0661
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297
This issue has been addressed in the following products: EAP 7.4.4 release Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299
This issue has been addressed in the following products: EAP 6.4.24 release Via RHSA-2022:5458 https://access.redhat.com/errata/RHSA-2022:5458
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2022:5459 https://access.redhat.com/errata/RHSA-2022:5459
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2022:5460 https://access.redhat.com/errata/RHSA-2022:5460