CVE-2022-23302
Deserialization of Untrusted Data vulnerability in log4j:log4j
What is CVE-2022-23302 About?
This vulnerability in Log4j 1.x allows for deserialization of untrusted data, which can lead to remote code execution. Exploitation requires write access to the Log4j configuration or an accessible LDAP service. It is moderately easy to exploit given the prerequisites.
Affected Software
- log4j:log4j
- <=1.2.17
- org.zenframework.z8.dependencies.commons:log4j-1.2.17
- <=2.0
Technical Details
The JMSSink component in Log4j 1.x is susceptible to deserialization of untrusted data. When an attacker has write access to the Log4j configuration file or can control an LDAP service referenced by the configuration, they can inject a malicious TopicConnectionFactoryBindingName. This injected binding name causes JMSSink to perform JNDI lookups to an attacker-controlled LDAP server. The JNDI lookup then triggers remote code execution by deserializing a malicious object, mirroring the attack vector seen in CVE-2021-4104. This issue specifically affects Log4j 1.x installations where JMSSink is explicitly configured, which is not the default setup.
What is the Impact of CVE-2022-23302?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, leading to full compromise of the application and potentially the underlying server.
What is the Exploitability of CVE-2022-23302?
Exploitation of this vulnerability requires specific prerequisites, making it moderately complex. Attackers need either write access to the Log4j configuration file, which implies some level of prior access or misconfiguration, or the ability to control an LDAP service that the Log4j instance is configured to use. No specific authentication is explicitly required for the direct JNDI lookup, but gaining the initial access to modify the configuration or control the LDAP server may involve authentication. The attack is remote, contingent on the attacker being able to communicate with the LDAP service or the system hosting the Log4j configuration. The presence of JMSSink and a vulnerable configuration increases the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23302?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w
- https://www.vicarius.io/vsociety/posts/cve-2022-23302-mitigate-log4j-1217-vulnerability
- https://github.com/apache/logging-log4j1
- https://www.vicarius.io/vsociety/posts/cve-2022-23302-mitigate-log4j-1217-vulnerability
- https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w
- https://www.vicarius.io/vsociety/posts/cve-2022-23302-detect-log4j-1217-vulnerability
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.netapp.com/advisory/ntap-20220217-0006
- https://www.vicarius.io/vsociety/posts/cve-2022-23302-detect-log4j-1217-vulnerability
- https://www.oracle.com/security-alerts/cpuapr2022.html
What are Similar Vulnerabilities to CVE-2022-23302?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2021-45046 , CVE-2021-45105 , CVE-2021-4104 , CVE-2017-9805
