CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2022-23305

CVSS 9.8v3.1pub. 2022-01-18upd. 2026-05-27

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Log4j

    APP
    Apache
    1.2 – 1.2.17
  • Broadcom Brocade Sannav

    APP
    Broadcom
    wszystkie wersje
  • Netapp Snapmanager

    APP
    Netapp
    wszystkie wersje
  • Oracle Advanced Supply Chain Planning

    APP
    Oracle
    12.112.2
  • Oracle Business Intelligence

    APP
    Oracle
    12.2.1.3.012.2.1.4.05.9.0.0.0
  • Oracle Business Process Management Suite

    APP
    Oracle
    12.2.1.3.012.2.1.4.0
  • Oracle Communications Eagle Ftp Table Base Retrieval

    APP
    Oracle
    4.5
  • Oracle Communications Instant Messaging Server

    APP
    Oracle
    10.0.1.5.0
  • Oracle Communications Messaging Server

    APP
    Oracle
    8.1
  • Oracle Communications Network Integrity

    APP
    Oracle
    7.3.6
  • Oracle Communications Offline Mediation Controller

    APP
    Oracle
    12.0.0.5.0< 12.0.0.4.4
  • Oracle Communications Unified Inventory Management

    APP
    Oracle
    7.4.17.4.2
  • Oracle E Business Suite Cloud Manager And Cloud Backup Module

    APP
    Oracle
    2.2.1.1.1< 2.2.1.1.1
  • Oracle E Business Suite Information Discovery

    APP
    Oracle
    12.2.3 – 12.2.11
  • Oracle Enterprise Manager Base Platform

    APP
    Oracle
    13.4.0.013.5.0.0
  • Oracle Financial Services Revenue Management And Billing Analytics

    APP
    Oracle
    2.7.0.02.7.0.12.8.0.0
  • Oracle Healthcare Foundation

    APP
    Oracle
    8.1.0
  • Oracle Hyperion Data Relationship Management

    APP
    Oracle
    < 11.2.8.0
  • Oracle Hyperion Infrastructure Technology

    APP
    Oracle
    < 11.2.8.0
  • Oracle Identity Management Suite

    APP
    Oracle
    12.2.1.3.012.2.1.4.0
  • Oracle Identity Manager Connector

    APP
    Oracle
    11.1.1.5.0
  • Oracle Jdeveloper

    APP
    Oracle
    12.2.1.3.0
  • Oracle Middleware Common Libraries And Tools

    APP
    Oracle
    12.2.1.4.0
  • Oracle MySQL Enterprise Monitor

    APP
    Oracle
    ≤ 8.0.29
  • Oracle Retail Extract Transform And Load

    APP
    Oracle
    13.2.5
  • Oracle Tuxedo

    APP
    Oracle
    12.2.2.0.0
  • Oracle Weblogic Server

    APP
    Oracle
    12.2.1.3.012.2.1.4.014.1.1.0.0
  • Qos Reload4j

    APP
    Qos
    < 1.2.18.2
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2022-22963CRITICAL9.8⚠ KEVten sam produkt

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...

CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...

CVE-2021-45046CRITICAL9.0⚠ KEVten sam produkt

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-defau...

CVE-2021-44228CRITICAL10.0⚠ KEVten sam produkt

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features u...

CVE-2020-17530CRITICAL9.8⚠ KEVten sam produkt

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....