SBN

New Log4j 1.x CVEs, and critical Chainsaw Vulnerability — What to Do?

This week Apache disclosed 3 vulnerabilities impacting Log4j 1.x versions.

Full disclosure, Log4j 1.x is an end-of-life product anyway, as of August 2015, and the recommended advice has always been to be on a safe log4j 2.x version. But, buried in these CVE disclosures is a critical Apache Chainsaw vulnerability that has been analyzed below.

To summarize quickly, the 3 CVEs disclosed this week are:

  • CVE-2022-23307 [Sonatype’s CVSS rating: 9.8 / Critical] This remote code execution flaw is applicable to default instances, making it noteworthy. The vulnerability itself lurks in Chainsaw component, which is included within Log4j 1.x versions.

    Reported by a pseudonymous researcher @kingkk, CVE-2022-23307 is rather the same issue as CVE-2020-9493, with the newer identifier assigned specifically for Log4j.

    Apache Chainsaw versions prior to 2.1.0 were vulnerable to untrusted deserialization and therefore the inclusion of this version in Log4j 1.x makes the latter vulnerable too. The remediation guidance for CVE-2020-9493 (also reported by kingkk) additionally states to not configure Chainsaw to read serialized log events, but instead adopt a different receiver, such as XMLSocketReceiver.

  • CVE-2022-23305 [Sonatype’s CVSS score: 9.8 / Critical] A SQL injection flaw in JDBC Appender present in Log4j 1.x versions. This issue impacts versions specifically configured to use JDBCAppender, which means it’s applicable to non-default configurations only.

    The JDBCAppender in Log4j 1.2.x versions has been designed to accept SQL statements as configuration parameters such that the values to be inserted are converters from PatternLayout.

    “The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed,” states the advisory.

    However, starting with Log4j (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/new-log4j-1.x-cves-and-critical-chainsaw-vulnerability-what-to-do