CVE-2022-23302

Name of the Vulnerable Software and Affected Versions Log4j versions 1.x

Description The issue is related to the deserialization of untrusted data in the JMSSink component of Log4j 1.x, which can lead to remote code execution when the attacker has write access to the Log4j configuration or access to an LDAP service referenced in the configuration. This can be achieved by providing a specially crafted TopicConnectionFactoryBindingName configuration, causing JMSSink to perform JNDI requests. The issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. It is noted that Apache Log4j 1.2 reached end of life in August 2015.

Recommendations For Log4j versions 1.x, upgrade to Log4j 2 to address this and numerous other issues from the previous versions. As a temporary workaround, consider disabling the use of JMSSink until a patch is available. Restrict access to the Log4j configuration to minimize the risk of exploitation. Avoid using the TopicConnectionFactoryBindingName configuration in the affected Log4j 1.x versions until the issue is resolved.