CVE: 2022-23302 found in Apache Log4j - Version: 1.2.17 [JAVA] #837
Description
Veracode Software Composition Analysis
| Attribute | Details |
|---|---|
| Library | Apache Log4j |
| Description | Apache Log4j 1.2 |
| Language | JAVA |
| Vulnerability | Deserialisation Of Untrusted Object |
| Vulnerability description | JMSSink in log4j is vulnerable to deserialization of untrusted object. The insecure use of JNDI in JMSSink allows an attacker to send malicious object in LDAP store if it is accessible by an attacker or is configured to use an untrusted site, leading to a remote code execution. Note: this vulnerability only affects the applications specifically configured to use JMSSink, which is not the default. |
| CVE | 2022-23302 |
| CVSS score | 6 |
| Vulnerability present in version/s | 1.1.3-1.2.17 |
| Found library version/s | 1.2.17 |
| Vulnerability fixed in version | |
| Library latest version | 1.2.17 |
| Fix | No fix is released. Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations. |
Links: