PT-2022-7038 · Apache+9 · Log4J+9
Daniel Martin
·
Published
2022-01-10
·
Updated
2026-05-27
·
CVE-2022-23305
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Log4j versions 1.2.x
Description
The issue is related to the JDBCAppender in Log4j, which accepts an SQL statement as a configuration parameter. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged, enabling unintended SQL queries to be executed. The problem only affects Log4j 1.x when specifically configured to use the JDBCAppender. Apache Log4j 1.2 reached end of life in August 2015.
Recommendations
For Log4j versions 1.2.x, upgrade to Log4j 2 as it addresses numerous other issues from the previous versions, including proper support for parameterized SQL queries and further customization over the columns written to in logs.
As a temporary workaround, consider disabling the JDBCAppender until a patch is available or the upgrade to Log4j 2 is completed.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Almalinux
Astra Linux
Centos
Jira
Linuxmint
Log4J
Red Hat
Rocky Linux
Suse
Ubuntu