CVE-2023-26464
Denial of Service vulnerability in log4j-core (Maven)
What is CVE-2023-26464 About?
This Denial of Service (DoS) vulnerability affects Apache Log4j 1.x when using Chainsaw or SocketAppender components on JRE less than 1.7. An attacker can craft a deeply nested hashmap or hashtable in a logging entry, leading to memory exhaustion during deserialization. This can crash the virtual machine, easily causing a DoS.
Affected Software
- org.apache.logging.log4j:log4j-core
- >1.0.4, <2.0
- log4j:log4j
- >1.0.4, <2.0
Technical Details
The vulnerability in Apache Log4j 1.x occurs when the Chainsaw or SocketAppender components are used with a JRE version less than 1.7. These components can deserialize Java objects that are part of logging events. An attacker can craft a malicious logging entry containing a deeply nested HashMap or Hashtable. When these deeply nested objects are deserialized, they consume an excessive amount of memory due to the recursive nature of their structure. This 'memory bomb' ultimately exhausts the Java Virtual Machine's heap space, causing an OutOfMemoryError and subsequently a Denial of Service (DoS) for the application using Log4j. The attack vector involves sending crafted logging input to an application configured with the vulnerable appenders.
What is the Impact of CVE-2023-26464?
Successful exploitation may allow attackers to exhaust system memory and achieve a denial of service, rendering the application unavailable.
What is the Exploitability of CVE-2023-26464?
Exploitation complexity is moderate, requiring the ability to submit specially-crafted logging entries to an application using Log4j 1.x with either Chainsaw or SocketAppender, and running on JRE less than 1.7. No specific authentication is required if the logging endpoint is accessible to an attacker. Privilege requirements are low, as simply providing input is sufficient. The attack can be local or remote, depending on how the Log4j appenders are exposed. Key conditions include the vulnerable Log4j version, specific appender configuration, and an outdated JRE. The risk is primarily in unsupported legacy systems.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26464?
Available Upgrade Options
- log4j:log4j
- >1.0.4, <2.0 → Upgrade to 2.0
- org.apache.logging.log4j:log4j-core
- >1.0.4, <2.0 → Upgrade to 2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20230505-0008
- https://security.netapp.com/advisory/ntap-20230505-0008/
- https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t
- https://github.com/apache/logging-log4j2
- https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t
- https://nvd.nist.gov/vuln/detail/CVE-2023-26464
- https://osv.dev/vulnerability/GHSA-vp98-w2p3-mv35
What are Similar Vulnerabilities to CVE-2023-26464?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2021-45046 , CVE-2021-45105 , CVE-2022-23305 , CVE-2022-23307
