Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2023-1718

Related Vulnerabilities: CVE-2022-23302   CVE-2022-23305   CVE-2022-23307  

A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests. (CVE-2022-23302) A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens. (CVE-2022-23305) A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run. (CVE-2022-23307)

Source

ALAS-2023-1718

Amazon Linux AMI Security Advisory: ALAS-2023-1718
Advisory Release Date: 2023-03-30 22:50 Pacific
Advisory Updated Date: 2023-04-05 20:23 Pacific
Severity: Important
Issue Overview:

A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests. (CVE-2022-23302)

A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens. (CVE-2022-23305)

A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run. (CVE-2022-23307)


Affected Packages:

log4j


Issue Correction:
Run yum update log4j to update your system.

New Packages:
noarch:
    log4j-1.2.17-16.14.amzn1.noarch
    log4j-javadoc-1.2.17-16.14.amzn1.noarch
    log4j-manual-1.2.17-16.14.amzn1.noarch

src:
    log4j-1.2.17-16.14.amzn1.src

Additional References

Red Hat: CVE-2022-23302, CVE-2022-23305, CVE-2022-23307

Mitre: CVE-2022-23302, CVE-2022-23305, CVE-2022-23307

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started