Daniel Martin

**Name of the Vulnerable Software and Affected Versions** Log4j versions 1.2.x **Description** The issue is related to the JDBCAppender in Log4j, which accepts an SQL statement as a configuration parameter. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged, enabling unintended SQL queries to be executed. The problem only affects Log4j 1.x when specifically configured to use the JDBCAppender. Apache Log4j 1.2 reached end of life in August 2015. **Recommendations** For Log4j versions 1.2.x, upgrade to Log4j 2 as it addresses numerous other issues from the previous versions, including proper support for parameterized SQL queries and further customization over the columns written to in logs. As a temporary workaround, consider disabling the JDBCAppender until a patch is available or the upgrade to Log4j 2 is completed.