External risk intelligence

Log4j allows attackers to run unauthorized commands by exploiting a specific logging feature.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-23305

An external attacker can exploit a Log4j vulnerability to execute unauthorized SQL commands, potentially stealing or altering sensitive business data. This matters because it could lead to unauthorized access or compromise the integrity of your company's information.

3Halo Surface Signal

SQL Injection

Apache Log4j

1.2 to 1.2.17before 1.2.18.212.112.25.9.0.0.012.2.1.3.012.2.1.4.04.510.0.1.5.08.17.3.6before 12.0.0.4.412.0.0.5.07.4.17.4.2before 2.2.1.1.12.2.1.1.112.2.3 to 12.2....

External exposure likelihood

Halo Surface Signal score for CVE-2022-23305

The vulnerability exists only when the specific JDBCAppender component is manually enabled in a Log4j 1.2 configuration, which is not a default setting. While internet-facing web applications commonly log user input, the exploitability depends on this non-default, opt-in logging configuration. Public exposure is possible where this specific, non-standard component is active in a web-facing deploy…

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows an attacker to execute arbitrary SQL commands by sending specially crafted input to applications that use a specific, non-default configuration of the Log4j 1.2 logging library. This can lead to unauthorized data access or modification.

Enables arbitrary SQL execution.
Affects only custom Log4j configurations.
Log4j 1.2 is end-of-life software.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted input to an application that logs to a Log4j 1.2 JDBCAppender. If this appender is configured to accept SQL statements and logs user-controlled data, an attacker can inject malicious SQL, potentially leading to database compromise.

Requires specific configuration.
Targets input fields or headers.
Uses Log4j 1.2.x.

Live Threat

Current exploitation, exposure, and threat context

Attackers are likely to target this vulnerability due to its critical severity and the potential for widespread impact if exploited. While the vulnerability is present in an older, end-of-life version of Log4j, many systems may still be running it, especially since the affected component, JDBCAppender, requires specific configuration. The ease of injecting malicious SQL via logged input makes this an attractive target for data exfiltration or manipulation.

Exploitation requires specific configuration.
No public exploits observed.
Older Log4j version.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate assessment and containment of any systems using Apache Log4j 1.2.x, especially if the JDBCAppender is configured, as this critical vulnerability allows for remote code execution via crafted input. Given that Log4j 1.2 is end-of-life, focus on upgrading to Log4j 2 or implementing application-level input validation and network segmentation to mitigate exploitation risks.

Identify and disable the JDBCAppender.
Isolate vulnerable services from the network.
Upgrade to Log4j 2.

Frequently asked questions

What is Apache Log4j 1.2.x and what is it used for?

Apache Log4j 1.2.x is a logging framework for Java applications. It helps developers record events, errors, and other operational information within their software. The JDBCAppender, a specific component within Log4j 1.2.x, allows log data to be written to a database using SQL statements. This feature is not enabled by default and requires manual configuration.

How does CVE-2022-23305 exploit Log4j 1.2.x?

CVE-2022-23305 is a SQL injection vulnerability (CWE-89) in Log4j 1.2.x. When the JDBCAppender is configured to accept SQL statements and uses message converters, an attacker can send specially crafted input. This input manipulates the SQL query that the application attempts to execute, potentially leading to unintended database operations.

What specific conditions are needed for an attacker to exploit this Log4j vulnerability?

An attacker needs an application that uses Apache Log4j 1.2.x with the JDBCAppender specifically configured to accept SQL statements. The vulnerability is not triggered if this particular JDBCAppender configuration is not in use. Applications that do not log user-supplied data or do not use this specific Log4j configuration are not affected.

Who should be concerned about CVE-2022-23305, considering its potential exposure?

Organizations running applications that utilize Apache Log4j 1.2.x with the JDBCAppender, especially those that accept and log user-provided input, should be concerned. The Halo Surface Signal indicates a 'Possible' exposure, meaning the vulnerability can be exploited over the internet if the specific, non-default JDBCAppender configuration is active in internet-facing systems.

What is the first step for running this technology when facing CVE-2022-23305?

The immediate first step is to identify all systems using Apache Log4j 1.2.x. For any identified systems, verify if the JDBCAppender is configured and, if so, whether it accepts SQL statements. Given that Log4j 1.2 reached its end of life in August 2015, upgrading to a supported version like Log4j 2 is a recommended long-term solution.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.