Lucene search

K
amazonAmazonALAS-2023-1718
HistoryMar 30, 2023 - 10:50 p.m.

Important: log4j

2023-03-3022:50:00
alas.aws.amazon.com
35
apache log4j
remote code execution
java logging library
cve-2022-23302
cve-2022-23305
cve-2022-23307
sql injection
untrusted data
deserialization
jndi requests
chainsaw component

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.012

Percentile

85.5%

Issue Overview:

A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests. (CVE-2022-23302)

A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens. (CVE-2022-23305)

A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run. (CVE-2022-23307)

Affected Packages:

log4j

Issue Correction:
Run yum update log4j to update your system.

New Packages:

noarch:  
    log4j-1.2.17-16.14.amzn1.noarch  
    log4j-javadoc-1.2.17-16.14.amzn1.noarch  
    log4j-manual-1.2.17-16.14.amzn1.noarch  
  
src:  
    log4j-1.2.17-16.14.amzn1.src  

Additional References

Red Hat: CVE-2022-23302, CVE-2022-23305, CVE-2022-23307

Mitre: CVE-2022-23302, CVE-2022-23305, CVE-2022-23307

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.012

Percentile

85.5%