CVE-2022-23305
SQL Injection vulnerability in log4j:log4j
What is CVE-2022-23305 About?
This vulnerability is an SQL Injection affecting Log4j 1.2.x when configured with `JDBCAppender`. Attackers can manipulate SQL queries by injecting crafted strings into logged input fields or headers. This can lead to unintended SQL queries being executed, and exploitation is relatively straightforward if the specific configuration is in place.
Affected Software
- log4j:log4j
- <=1.2.17
- org.zenframework.z8.dependencies.commons:log4j-1.2.17
- <=2.0
Technical Details
The vulnerability specifically impacts Apache Log4j 1.2.x, but only when the `JDBCAppender` is explicitly configured for logging. By design, the `JDBCAppender` accepts an SQL statement as a configuration parameter, where values to be inserted into the SQL query are derived from PatternLayout converters (e.g., `%m` for the message). If the message converter (`%m`) or other vulnerable converters are included, an attacker can input crafted strings into fields or headers of an application that are subsequently logged. These crafted strings are then directly inserted into the SQL query without proper sanitization or parameterization, allowing the attacker to manipulate the SQL statement. This can lead to the execution of arbitrary, unintended SQL queries, potentially facilitating data exfiltration, modification, or even remote code execution depending on the database and user privileges. This issue does not affect Log4j 2.x which re-introduced the JDBCAppender with parameterized SQL query support.
What is the Impact of CVE-2022-23305?
Successful exploitation may allow attackers to execute unintended SQL queries against the underlying database, leading to unauthorized data access, modification, or deletion.
What is the Exploitability of CVE-2022-23305?
Exploitation requires the Log4j 1.2.x application to be specifically configured to use the `JDBCAppender` with vulnerable PatternLayout converters. The complexity is low, as it primarily involves injecting malicious SQL fragments into input fields or headers that are subsequently logged. Authentication depends on the application's access control to the input fields; if public inputs are logged, no authentication is needed. Access can be remote. No special privileges are required on the server itself, only the ability to supply input that gets logged. The critical constraint is the specific Log4j configuration. Risk factors include web applications logging user-supplied input directly to a database via the vulnerable `JDBCAppender`.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| HynekPetrak | Link | Fastest filesystem scanner for log4shell (CVE-2021-44228, CVE-2021-45046) and other vulnerable (CVE-2017-5645, CVE-2019-17571, CVE-2022-23305, CVE-2022-23307 ... ) instances of log4j library.... |
| AlphabugX | Link | test 反向辣鸡数据投放 CVE-2022-23305 工具 利用 教程 Exploit POC |
| tkomlodi | Link | CVE-2022-23305 Log4J JDBCAppender SQl injection POC |
What are the Available Fixes for CVE-2022-23305?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://logging.apache.org/log4j/1.2/index.html
- https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y
- https://security.netapp.com/advisory/ntap-20220217-0007/
- https://github.com/apache/logging-log4j1
- https://security.netapp.com/advisory/ntap-20220217-0007
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-23305
- https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y
- http://www.openwall.com/lists/oss-security/2022/01/18/4
What are Similar Vulnerabilities to CVE-2022-23305?
Similar Vulnerabilities: CVE-2017-9801 , CVE-2017-9791 , CVE-2017-7659 , CVE-2015-8103 , CVE-2016-1000031
