By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Log4j
APPApache1.2 – 1.2.17Broadcom Brocade Sannav
APPBroadcomwszystkie wersjeNetapp Snapmanager
APPNetappwszystkie wersjeOracle Advanced Supply Chain Planning
APPOracle12.112.2Oracle Business Intelligence
APPOracle12.2.1.3.012.2.1.4.05.9.0.0.0Oracle Business Process Management Suite
APPOracle12.2.1.3.012.2.1.4.0Oracle Communications Eagle Ftp Table Base Retrieval
APPOracle4.5Oracle Communications Instant Messaging Server
APPOracle10.0.1.5.0Oracle Communications Messaging Server
APPOracle8.1Oracle Communications Network Integrity
APPOracle7.3.6Oracle Communications Offline Mediation Controller
APPOracle12.0.0.5.0< 12.0.0.4.4Oracle Communications Unified Inventory Management
APPOracle7.4.17.4.2Oracle E Business Suite Cloud Manager And Cloud Backup Module
APPOracle2.2.1.1.1< 2.2.1.1.1Oracle E Business Suite Information Discovery
APPOracle12.2.3 – 12.2.11Oracle Enterprise Manager Base Platform
APPOracle13.4.0.013.5.0.0Oracle Financial Services Revenue Management And Billing Analytics
APPOracle2.7.0.02.7.0.12.8.0.0Oracle Healthcare Foundation
APPOracle8.1.0Oracle Hyperion Data Relationship Management
APPOracle< 11.2.8.0Oracle Hyperion Infrastructure Technology
APPOracle< 11.2.8.0Oracle Identity Management Suite
APPOracle12.2.1.3.012.2.1.4.0Oracle Identity Manager Connector
APPOracle11.1.1.5.0Oracle Jdeveloper
APPOracle12.2.1.3.0Oracle Middleware Common Libraries And Tools
APPOracle12.2.1.4.0Oracle MySQL Enterprise Monitor
APPOracle≤ 8.0.29Oracle Retail Extract Transform And Load
APPOracle13.2.5Oracle Tuxedo
APPOracle12.2.2.0.0Oracle Weblogic Server
APPOracle12.2.1.3.012.2.1.4.014.1.1.0.0Qos Reload4j
APPQos< 1.2.18.2
Powiązane podatności
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-defau...
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features u...
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....