log4j v1 vulnerabilities (CVE-2022-23302 CVE-2022-23305 CVE-2022-23307)

WSO2 Products impacted: no

Customers actions required: no

REPORTED VULNERABILITY

  • CVE-2022-233021: JMSSink in log4j 1.x is vulnerable to deserialization of untrusted data.
  • CVE-2022-233052: JDBCAppender in log4j 1.2.x is vulnerable to SQL Injection flow.
  • CVE-2022-233073: Chainsaw GUI feature in log4j 1.x is vulnerable to deserialization of untrusted data.

Info

This issue only affects Log4j 1.x when specifically configured to use JMSSink, JDBCAppender or Chainsaw which is not the default.

WSO2 JUSTIFICATION

Exploitation of CVE-2022-233021, CVE-2022-233052 and CVE-2022-233073 require the ability to modify Log4j configuration files (log4j.xml/ log4j.properties) and restart the WSO2 product as these features have not been enabled in WSO2 products by default. This requires access to the file system of the server with write permissions to relevant product configuration files. Therefore, it is unlikely that an external attacker could perform CVE-2022-233021, CVE-2022-233052 or CVE-2022-233073 exploitation.

We will update this announcement if further actions are required.

REFERENCES

  1. https://www.cvedetails.com/cve/CVE-2022-23302/ 

  2. https://www.cvedetails.com/cve/CVE-2022-23305/ 

  3. https://www.cvedetails.com/cve/CVE-2022-23307/