Robert Middleton

**Name of the Vulnerable Software and Affected Versions** Log4cxx versions 0.9.0 through 1.1.0 **Description** The issue is related to SQL injection in Log4cxx when using the ODBC appender to send log messages to a database. No fields sent to the database were properly escaped for SQL injection. This has been the case since at least version 0.9.0. Note that Log4cxx is a C++ framework, so only C++ applications are affected. Three preconditions must be met for this vulnerability to be possible: Log4cxx compiled with ODBC support, ODBCAppender enabled for logging messages to, and user input is logged at some point. **Recommendations** To resolve the issue, upgrade to version 1.1.0 which properly binds the parameters to the SQL statement, or migrate to the new DBAppender class which supports an ODBC connection in addition to other databases. Note that this fix does require a configuration file update, as the old configuration files will not configure properly. Update the configuration file to use the new ColumnMapping parameters, for example, change the sql value from "INSERT INTO logs (message) VALUES ('%m')" to "INSERT INTO logs (message) VALUES (?)" and add a ColumnMapping parameter with the value "message".