CVE-2022-23302

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-23302
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:P

Exploitability : 6.8 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://www.openwall.com/lists/oss-security/2022/01/18/3 Mailing List Third Party Advisory
https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w Mailing List Mitigation Vendor Advisory
https://logging.apache.org/log4j/1.2/index.html Vendor Advisory
https://security.netapp.com/advisory/ntap-20220217-0006/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*

Configuration 3 (hide)

cpe:2.3:a:broadcom:brocade_sannav:-:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*

Configuration 5 (hide)

OR cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
History

24 Feb 2023, 15:30

Type Values Removed Values Added
References (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory
First Time Oracle communications Instant Messaging Server
Oracle communications Offline Mediation Controller
CPE cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*

25 Jul 2022, 18:21

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

16 Jun 2022, 15:40

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
References (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
First Time Oracle communications Unified Inventory Management
Oracle communications Eagle Ftp Table Base Retrieval
Oracle tuxedo
Oracle healthcare Foundation
Oracle identity Management Suite
Oracle mysql Enterprise Monitor
Oracle e-business Suite Cloud Manager And Cloud Backup Module
Oracle hyperion Data Relationship Management
Oracle weblogic Server
Oracle financial Services Revenue Management And Billing Analytics
Oracle business Intelligence
Oracle identity Manager Connector
Oracle communications Messaging Server
Oracle middleware Common Libraries And Tools
Oracle hyperion Infrastructure Technology
Oracle jdeveloper
Oracle enterprise Manager Base Platform
Oracle business Process Management Suite
Oracle advanced Supply Chain Planning
Oracle
Oracle communications Network Integrity

20 Apr 2022, 00:16

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

08 Apr 2022, 13:34

Type Values Removed Values Added
First Time Qos reload4j
Qos
CPE cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*

04 Mar 2022, 21:39

Type Values Removed Values Added
References (CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0006/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0006/ - Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2022/01/18/3 - (MLIST) http://www.openwall.com/lists/oss-security/2022/01/18/3 - Mailing List, Third Party Advisory
CPE cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
cpe:2.3:a:broadcom:brocade_sannav:-:*:*:*:*:*:*:*
First Time Netapp
Broadcom brocade Sannav
Netapp snapmanager
Broadcom

17 Feb 2022, 18:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2022/01/18/3 -
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0006/ -

27 Jan 2022, 16:21

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : 6.0
v3 : 8.8
First Time Apache
Apache log4j
CPE cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
CWE CWE-502
References (MISC) https://logging.apache.org/log4j/1.2/index.html - (MISC) https://logging.apache.org/log4j/1.2/index.html - Vendor Advisory
References (MISC) https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w - (MISC) https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w - Mailing List, Mitigation, Vendor Advisory

18 Jan 2022, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2022-01-18 16:15

Updated : 2023-12-10 14:09

NVD link : CVE-2022-23302

Mitre link : CVE-2022-23302

CVE.ORG link : CVE-2022-23302

JSON object : View

Products Affected

oracle

  • communications_eagle_ftp_table_base_retrieval
  • healthcare_foundation
  • financial_services_revenue_management_and_billing_analytics
  • hyperion_data_relationship_management
  • advanced_supply_chain_planning
  • communications_offline_mediation_controller
  • identity_management_suite
  • jdeveloper
  • identity_manager_connector
  • weblogic_server
  • business_intelligence
  • business_process_management_suite
  • hyperion_infrastructure_technology
  • e-business_suite_cloud_manager_and_cloud_backup_module
  • mysql_enterprise_monitor
  • tuxedo
  • communications_unified_inventory_management
  • enterprise_manager_base_platform
  • communications_network_integrity
  • middleware_common_libraries_and_tools
  • communications_messaging_server
  • communications_instant_messaging_server

qos

  • reload4j

netapp

  • snapmanager

apache

  • log4j

broadcom

  • brocade_sannav
CWE
CWE-502

Deserialization of Untrusted Data