QID 355080
Date Published: 2023-05-18
QID 355080: Amazon Linux Security Advisory for log4j : AL2012-2023-404
Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2022-23307:
A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.
2041967: CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer
CVE-2022-23305:
A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.
2041959: CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
CVE-2022-23302:
A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.
2041949: CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
CVEs related to QID 355080
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| AL2012-2023-404 | Amazon Linux Bare Metal |
docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-updates.html |