CVE-2022-23305

CRITICAL

Apache Log4j 1.2.x - SQL Injection via JDBCAppender Message Converter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2022-23305. PoCs published by HynekPetrak, AlphabugX, tkomlodi.

AI-analyzed exploit summary This repository contains a Python-based file system scanner for detecting vulnerable log4j instances, including CVE-2017-5645. It identifies log4j (1.x), reload4j (1.2.18+), and log4j-core (2.x) versions vulnerable to multiple CVEs.

Description

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Exploits (3)

nomisec SCANNER 39 stars
by HynekPetrak · poc
https://github.com/HynekPetrak/log4shell-finder

This repository contains a Python-based file system scanner for detecting vulnerable log4j instances, including CVE-2017-5645. It identifies log4j (1.x), reload4j (1.2.18+), and log4j-core (2.x) versions vulnerable to multiple CVEs.

Classification
Scanner 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: log4j (1.x), reload4j (1.2.18+), log4j-core (2.x)
No auth needed
Prerequisites: Access to the file system to scan
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SUSPICIOUS 5 stars
by AlphabugX · poc
https://github.com/AlphabugX/CVE-2022-RCE

The repository claims to be a PoC for CVE-2022-23305 but contains an extensive list of unrelated CVEs (20550-21008) without any actual exploit code or technical details. The README appears to be a placeholder or spam.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unspecified
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by tkomlodi · poc
https://github.com/tkomlodi/CVE-2022-23305_POC

This is a functional Spring Boot application demonstrating CVE-2022-23305, a Log4j JDBCAppender SQL injection vulnerability. It logs user input via a vulnerable JDBCAppender configuration, allowing arbitrary SQL injection through a URL parameter.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Apache Log4j (versions affected by CVE-2022-23305)
No auth needed
Prerequisites: Target application using Log4j with JDBCAppender configured · Network access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Vendor Advisory x_refsource_misc
https://logging.apache.org/log4j/1.2/index.html
Issue Tracking, Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/01/18/4
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220217-0007/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 9.8
EPSS 0.0945
EPSS Percentile 93.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (45)
apache/log4j 1.2 - 1.2.17
Apache Software Foundation/Apache Log4j 1.x 1.2.1 - unspecified
Apache Software Foundation/Apache Log4j 1.x unspecified - 2.0-alpha1
broadcom/brocade_sannav
log4j/log4j 0 - 1.2.17Maven
netapp/snapmanager (2 CPE variants)
oracle/advanced_supply_chain_planning 12.1
oracle/advanced_supply_chain_planning 12.2
oracle/business_intelligence 5.9.0.0.0
oracle/business_intelligence 12.2.1.3.0
... and 35 more
Published Jan 18, 2022
Tracked Since Feb 18, 2026