{"api_version":"1","generated_at":"2026-04-22T17:46:57+00:00","cve":"CVE-2022-23302","urls":{"html":"https://cve.report/CVE-2022-23302","api":"https://cve.report/api/cve/CVE-2022-23302.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-23302","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-23302"},"summary":{"title":"CVE-2022-23302","description":"JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2022-01-18 16:15:00","updated_at":"2023-02-24 15:30:00"},"problem_types":["CWE-502"],"metrics":[],"references":[{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","name":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - April 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20220217-0006/","name":"https://security.netapp.com/advisory/ntap-20220217-0006/","refsource":"CONFIRM","tags":[],"title":"CVE-2022-23302 Apache Log4j Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/01/18/3","name":"[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x","refsource":"MLIST","tags":[],"title":"oss-security - CVE-2022-23302: Deserialization of untrusted data in JMSSink in\n Apache Log4j 1.x","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w","name":"https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://logging.apache.org/log4j/1.2/index.html","name":"https://logging.apache.org/log4j/1.2/index.html","refsource":"MISC","tags":[],"title":"Apache log4j 1.2 -","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-23302","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23302","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Eduardo' Vela, Maksim Shudrak and Jacob Butler from Google.","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"1.2.17","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"log4j","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"broadcom","cpe5":"brocade_sannav","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"snapmanager","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"oracle","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"snapmanager","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"sap","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"advanced_supply_chain_planning","cpe6":"12.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"advanced_supply_chain_planning","cpe6":"12.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"business_intelligence","cpe6":"12.2.1.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"business_intelligence","cpe6":"12.2.1.4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"business_intelligence","cpe6":"5.9.0.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"business_process_management_suite","cpe6":"12.2.1.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"business_process_management_suite","cpe6":"12.2.1.4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_eagle_ftp_table_base_retrieval","cpe6":"4.5","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_instant_messaging_server","cpe6":"10.0.1.5.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_messaging_server","cpe6":"8.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_network_integrity","cpe6":"7.3.6","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_offline_mediation_controller","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_offline_mediation_controller","cpe6":"12.0.0.5.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_unified_inventory_management","cpe6":"7.4.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_unified_inventory_management","cpe6":"7.4.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"e-business_suite_cloud_manager_and_cloud_backup_module","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"e-business_suite_cloud_manager_and_cloud_backup_module","cpe6":"2.2.1.1.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"enterprise_manager_base_platform","cpe6":"13.4.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"enterprise_manager_base_platform","cpe6":"13.5.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"financial_services_revenue_management_and_billing_analytics","cpe6":"2.7.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"financial_services_revenue_management_and_billing_analytics","cpe6":"2.7.0.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"financial_services_revenue_management_and_billing_analytics","cpe6":"2.8.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"healthcare_foundation","cpe6":"8.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"hyperion_data_relationship_management","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"hyperion_infrastructure_technology","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"identity_management_suite","cpe6":"12.2.1.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"identity_management_suite","cpe6":"12.2.1.4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"identity_manager_connector","cpe6":"11.1.1.5.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jdeveloper","cpe6":"12.2.1.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"middleware_common_libraries_and_tools","cpe6":"12.2.1.4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"8.0.29","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"mysql_enterprise_monitor","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"tuxedo","cpe6":"12.2.2.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"weblogic_server","cpe6":"12.2.1.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"weblogic_server","cpe6":"12.2.1.4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"weblogic_server","cpe6":"14.1.1.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23302","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"qos","cpe5":"reload4j","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-23302","qid":"159603","title":"Oracle Enterprise Linux Security Update for parfait:0.5 (ELSA-2022-0290)"},{"cve":"CVE-2022-23302","qid":"159628","title":"Oracle Enterprise Linux Security Update for log4j (ELSA-2022-0442)"},{"cve":"CVE-2022-23302","qid":"159853","title":"Oracle Enterprise Linux Security Update for log4j (ELSA-2022-9419)"},{"cve":"CVE-2022-23302","qid":"179047","title":"Debian Security Update for apache-log4j1.2 (DLA 2905-1)"},{"cve":"CVE-2022-23302","qid":"179205","title":"Debian Security Update for apache-log4j1.2 (CVE-2022-23302)"},{"cve":"CVE-2022-23302","qid":"199275","title":"Ubuntu Security Notification for Apache Log4j Vulnerabilities (USN-5998-1)"},{"cve":"CVE-2022-23302","qid":"240034","title":"Red Hat Update for parfait:0.5 (RHSA-2022:0289)"},{"cve":"CVE-2022-23302","qid":"240035","title":"Red Hat Update for parfait:0.5 (RHSA-2022:0290)"},{"cve":"CVE-2022-23302","qid":"240036","title":"Red Hat Update for parfait:0.5 (RHSA-2022:0291)"},{"cve":"CVE-2022-23302","qid":"240059","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4 (RHSA-2022:0436)"},{"cve":"CVE-2022-23302","qid":"240060","title":"Red Hat Update for JBoss Enterprise Application Platform 6.4 (RHSA-2022:0438)"},{"cve":"CVE-2022-23302","qid":"240062","title":"Red Hat Update for rh-maven36-log4j12 (RHSA-2022:0439)"},{"cve":"CVE-2022-23302","qid":"240067","title":"Red Hat Update for log4j (RHSA-2022:0442)"},{"cve":"CVE-2022-23302","qid":"240078","title":"Red Hat Update for red hat jboss web server 3.1 service pack 14 (RHSA-2022:0524)"},{"cve":"CVE-2022-23302","qid":"240209","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1296)"},{"cve":"CVE-2022-23302","qid":"240210","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1297)"},{"cve":"CVE-2022-23302","qid":"240452","title":"Red Hat Update for parfait:0.5 (RHSA-2022:0294)"},{"cve":"CVE-2022-23302","qid":"240508","title":"Red Hat Update for JBoss Enterprise Application Platform 6.4.2 (RHSA-2022:5459)"},{"cve":"CVE-2022-23302","qid":"240511","title":"Red Hat Update for JBoss Enterprise Application Platform 6.4.2 (RHSA-2022:5460)"},{"cve":"CVE-2022-23302","qid":"257151","title":"CentOS Security Update for log4j (CESA-2022:0442)"},{"cve":"CVE-2022-23302","qid":"353173","title":"Amazon Linux Security Advisory for log4j : ALAS2-2022-1750"},{"cve":"CVE-2022-23302","qid":"354858","title":"Amazon Linux Security Advisory for log4j : ALAS-2023-1718"},{"cve":"CVE-2022-23302","qid":"355080","title":"Amazon Linux Security Advisory for log4j : AL2012-2023-404"},{"cve":"CVE-2022-23302","qid":"376438","title":"IBM WebSphere Application Server Arbitrary Code Execution Vulnerability (Log4Shell) (6557248)"},{"cve":"CVE-2022-23302","qid":"376639","title":"IBM Integration Bus and IBM App Connect Enterprise Apache Log4j Vulnerabilities (6568731)"},{"cve":"CVE-2022-23302","qid":"377086","title":"Alibaba Cloud Linux Security Update for log4j (ALINUX2-SA-2022:0010)"},{"cve":"CVE-2022-23302","qid":"377147","title":"Alibaba Cloud Linux Security Update for parfait:0.5 (ALINUX3-SA-2022:0006)"},{"cve":"CVE-2022-23302","qid":"671400","title":"EulerOS Security Update for log4j (EulerOS-SA-2022-1330)"},{"cve":"CVE-2022-23302","qid":"671679","title":"EulerOS Security Update for log4j (EulerOS-SA-2022-1744)"},{"cve":"CVE-2022-23302","qid":"730542","title":"Atlassian Confluence Server and Confluence Data Center Log4j Multiple Vulnerabilities (CONFSERVER-78991)"},{"cve":"CVE-2022-23302","qid":"730566","title":"Atlassian Jira Server and Data Center Log4j Vulnerability (JRASERVER-73885)"},{"cve":"CVE-2022-23302","qid":"731338","title":"Atlassian Bamboo Server and Data Center Multiple Security Vulnerabilities (BAM-21696, BAM-21697)"},{"cve":"CVE-2022-23302","qid":"751667","title":"SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2022:0212-1)"},{"cve":"CVE-2022-23302","qid":"751669","title":"SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2022:0214-1)"},{"cve":"CVE-2022-23302","qid":"751670","title":"OpenSUSE Security Update for log4j (openSUSE-SU-2022:0214-1)"},{"cve":"CVE-2022-23302","qid":"751672","title":"SUSE Enterprise Linux Security Update for log4j12 (SUSE-SU-2022:0226-1)"},{"cve":"CVE-2022-23302","qid":"751673","title":"OpenSUSE Security Update for log4j12 (openSUSE-SU-2022:0226-1)"},{"cve":"CVE-2022-23302","qid":"753187","title":"SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2022:14881-1)"},{"cve":"CVE-2022-23302","qid":"940440","title":"AlmaLinux Security Update for parfait:0.5 (ALSA-2022:0290)"},{"cve":"CVE-2022-23302","qid":"960689","title":"Rocky Linux Security Update for parfait:0.5 (RLSA-2022:0290)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2022-23302","STATE":"PUBLIC","TITLE":"Deserialization of untrusted data in JMSSink in Apache Log4j 1.x"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Log4j 1.x","version":{"version_data":[{"version_affected":">=","version_value":"1.0.1"},{"version_affected":"<","version_value":"2.0-alpha1"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"credit":[{"lang":"eng","value":"Eduardo' Vela, Maksim Shudrak and Jacob Butler from Google."}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":[{"other":"high"}],"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-502 Deserialization of Untrusted Data"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w","name":"https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w"},{"refsource":"MISC","url":"https://logging.apache.org/log4j/1.2/index.html","name":"https://logging.apache.org/log4j/1.2/index.html"},{"refsource":"MLIST","name":"[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x","url":"http://www.openwall.com/lists/oss-security/2022/01/18/3"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20220217-0006/","url":"https://security.netapp.com/advisory/ntap-20220217-0006/"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"}]},"source":{"discovery":"UNKNOWN"},"work_around":[{"lang":"eng","value":"Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations."}]},"nvd":{"publishedDate":"2022-01-18 16:15:00","lastModifiedDate":"2023-02-24 15:30:00","problem_types":["CWE-502"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6},"severity":"MEDIUM","exploitabilityScore":6.8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.1","versionEndIncluding":"1.2.17","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:broadcom:brocade_sannav:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.18.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*","versionEndExcluding":"11.2.8.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*","versionEndIncluding":"8.0.29","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*","versionEndExcluding":"11.2.8.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*","versionEndExcluding":"2.2.1.1.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*","versionEndExcluding":"12.0.0.4.4","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"23302","Ordinal":"225996","Title":"CVE-2022-23302","CVE":"CVE-2022-23302","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"23302","Ordinal":"1","NoteData":"JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.","Type":"Description","Title":null},{"CveYear":"2022","CveId":"23302","Ordinal":"2","NoteData":"2022-01-18","Type":"Other","Title":"Published"},{"CveYear":"2022","CveId":"23302","Ordinal":"3","NoteData":"2022-01-18","Type":"Other","Title":"Modified"}]}}}