CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1

Q: What is the severity of CVE-2022-23305?

CVE-2022-23305 is rated as a critical vulnerability due to the potential for remote SQL injection attacks.

Q: How do I fix CVE-2022-23305?

To mitigate CVE-2022-23305, update the Apache Log4j library to version 1.2.17 or greater.

Q: What types of applications are affected by CVE-2022-23305?

Applications using Apache Log4j 1.x with the JDBCAppender configured to accept untrusted data are vulnerable.

Q: Can I still use Apache Log4j after fixing CVE-2022-23305?

Yes, you can continue to use Apache Log4j as long as you update to the patched version and ensure proper validation of data.

Q: What are the implications of CVE-2022-23305 for database security?

CVE-2022-23305 poses serious risks as it allows attackers to execute arbitrary SQL queries on the database, potentially compromising sensitive data.

Published Jan 18, 2022

Updated

A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.

Other sources

Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.

— IBM

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converted from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs.

References:

https://www.openwall.com/lists/oss-security/2022/01/18/4

— Red Hat

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Affected Software

199 affected componentsFixes available

redhat/log4j<0:1.2.14-6.6.el6_10

0:1.2.14-6.6.el6_10

redhat/log4j<0:1.2.17-18.el7_4

0:1.2.17-18.el7_4

redhat/log4j<0:1.2.17-17.el7_3

0:1.2.17-17.el7_3

redhat/log4j-eap6<0:1.2.17-3.redhat_00008.1.ep6.el6

0:1.2.17-3.redhat_00008.1.ep6.el6

redhat/log4j-jboss-logmanager<0:1.1.4-3.Final_redhat_00002.1.ep6.el6

0:1.1.4-3.Final_redhat_00002.1.ep6.el6

redhat/jboss-as-appclient<0:7.5.24-2.Final_redhat_00001.1.ep6.el6