CVE-2022-23302: Apache Log4j 1.x remote code execution vulnerability alert

CVE-2022-23302

On January 18, Apache released a security bulletin that disclosed the deserialization of untrusted data in JMSSink vulnerability (CVE-2022-23302), which affected Apache Log4j 1.x version, and the official support and maintenance is no longer carried out.

CVE-2022-23302

Apache Log4j is a Java-based logging utility. Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.

JMSSink in all versions of Log4j 1.x is vulnerable to untrusted data deserialization when an attacker has permission to modify the Log4j configuration or the configuration references an LDAP service that the attacker has access to. An attacker could provide a TopicConnectionFactoryBindingName configuration and leverage JMSSink to perform JNDI requests to remotely execute code in a manner similar to CVE-2021-4104. Log4j is not affected by this vulnerability when configured by default.

Apache has stopped maintaining Log4j 1.x in 2015. Please upgrade to Log4j 2 for security fixes. If the users are temporarily unable to perform the upgrade operation, the following measures can be used to temporarily mitigate the CVE-2022-23302 flaw:

  • Comment out or delete the JMSSink in the Log4j configuration
  • Remove the JMSSink class file from the log4j jar using the following command:

    zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class

  • Restrict user access to the application platform to prevent attackers from modifying Log4j’s configuration.