Apache log4j Deserialization and SQL Injection Vulnerability (CVE-2022-23302/CVE-2022-23305/CVE-2022-23307) Alert

Apache log4j Deserialization and SQL Injection Vulnerability (CVE-2022-23302/CVE-2022-23305/CVE-2022-23307) Alert

January 26, 2022 | Jie Ji

Overview

On January 19, NSFOCUS CERT detected that Apache released a security bulletin that disclosed three Log4j vulnerabilities, all of which affected the Apache Log4j 1.x version, and the official support and maintenance are no longer available. Please take measures as soon as possible to protect the relevant users.

Apache log4j JMSSink Deserialization Code Execution Vulnerability (CVE-2022-23302):

JMSSink in all versions of Log4j 1.x is vulnerable to untrusted data deserialization when an attacker has permission to modify the Log4j configuration or the configuration references an LDAP service that the attacker has access to. An attacker can provide a TopicConnectionFactoryBindingName configuration and leverage JMSSink to perform JNDI requests to remotely execute code in a manner similar to CVE-2021-4104. Log4j is not affected by this vulnerability when configured by default.

Apache log4j JDBCAppender SQL Injection Vulnerability (CVE-2022-23305):

Since JDBCAppender in Log4j 1.2.x accepts SQL statements as configuration parameters, PatternLayout’s message converter does not filter the values ​​entered in it. An attacker can manipulate the SQL by constructing special strings into the content of the logging application input, thereby implementing illegal SQL queries. Log4j is not affected by this vulnerability when configured by default.

Apache log4j Chainsaw Deserialization Code Execution Vulnerability (CVE-2022-23307):

There is a deserialization problem in Chainsaw, the log viewer in Log4j 1.2.x, which may cause arbitrary code execution. The vulnerability was previously named CVE-2020-9493, and the official Apache Chainsaw 2.1.0 version has been released to fix it. Log4j is not configured to use Chainsaw by default.

Chainsaw v2 is a supporting application for Log4j written by members of the Log4j development community. It is a GUI-based log viewer that can read log files in Log4j’s XMLLayout format.

Reference links:

https://www.mail-archive.com/announce@apache.org/msg07040.html

https://www.mail-archive.com/announce@apache.org/msg07041.html

https://www.mail-archive.com/announce@apache.org/msg07042.html

Scope of Impact

Affected version

  • Apache Log4j 1.x
  • Apache Chainsaw < 2.1.0

Unaffected version

  • Apache Log4j 2.x

Vulnerability Detection

Manual detection

Users who use Log4j 1.x version can check whether JMSSink, JDBCAppender, and Chainsaw are configured for use. If so, there are corresponding security risks.

Mitigation

Official upgrade

The official has stopped maintaining the Log4j 1.x version in 2015. Please upgrade to Log4j 2 for security fixes. For migration methods, please refer to the official documentation:

https://logging.apache.org/log4j/2.x/manual/migration.html

In view of the fact that Log4j2 has been exposed to multiple high-risk vulnerabilities recently, it is recommended to upgrade to the following security versions for protection:

  • Apache Log4j 2.17.1-rc1 (same as 2.17.1 stable)
  • Apache Log4j 2.12.4-rc1 (same as 2.12.4 stable)
  • Apache Log4j 2.3.2-rc1 (same as 2.3.2 stable)

Note: 2.17.1 supports Java 8 and above, 2.12.4 supports Java 7, and 2.3.2 supports Java 6.

Official download link:

https://logging.apache.org/log4j/2.x/download.html

https://github.com/apache/logging-log4j2/tags

For the Apache log4j Chainsaw deserialization code execution vulnerability (CVE-2022-23307), it can also be fixed by upgrading Apache Chainsaw to the latest version. The official download link: https://logging.apache.org/chainsaw/2.x/download.html

Other mitigation

If the relevant users are temporarily unable to perform the upgrade operation, the following measures can be used to temporarily mitigate the above vulnerabilities:

Apache log4j JMSSink Deserialization Code Execution Vulnerability (CVE-2022-23302) Temporary Protection:

1) Comment out or delete the JMSSink in the Log4j configuration.

2) Use the following command to delete the JMSSink class file from the log4j jar:

zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class

3) Restrict system users’ access to the application platform to prevent attackers from modifying Log4j’s configuration.

Apache log4j JDBCAppender SQL Injection Vulnerability (CVE-2022-23305) Temporary Protection:

Remove usage of JDBCAppender from Log4j’s configuration file

Apache log4j Chainsaw Deserialization Code Execution Vulnerability (CVE-2022-23307) Temporary Protection:

Do not configure Chainsaw to read serialized log events. Other receivers can be used, such as XMLSocketReceiver

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.