CVE-2022-23305

CRITICAL

Apache Log4j < 1.2.17 - SQL Injection

Title source: rule

Description

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Exploits (3)

nomisec SCANNER 39 stars
by HynekPetrak · poc
https://github.com/HynekPetrak/log4shell-finder
nomisec SUSPICIOUS 5 stars
by AlphabugX · poc
https://github.com/AlphabugX/CVE-2022-RCE
nomisec WORKING POC 1 stars
by tkomlodi · poc
https://github.com/tkomlodi/CVE-2022-23305_POC

References (6)

Scores

CVSS v3 9.8
EPSS 0.1156
EPSS Percentile 93.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (43)
apache/log4j 1.2 - 1.2.17
broadcom/brocade_sannav
log4j/log4j 0Maven
netapp/snapmanager (2 CPE variants)
oracle/advanced_supply_chain_planning 12.1
oracle/advanced_supply_chain_planning 12.2
oracle/business_intelligence 5.9.0.0.0
oracle/business_intelligence 12.2.1.3.0
oracle/business_intelligence 12.2.1.4.0
oracle/business_process_management_suite 12.2.1.3.0
... and 33 more
Published Jan 18, 2022
Tracked Since Feb 18, 2026