CVE-2022-23305 is a critical SQL injection vulnerability in Apache Log4j 1.2.x. This vulnerability allows attackers to manipulate SQL queries by entering crafted strings into input fields or headers that are logged. The JDBCAppender in Log4j 1.2.x accepts SQL statements as configuration parameters, with the message converter %m likely to be included by default. This issue poses a serious risk as it could lead to unintended SQL queries being executed, potentially compromising data integrity and confidentiality.
With a CVSS score of 9.8, this vulnerability is classified as critical. It is important to note that this only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default setting. The Apache Log4j project reached its end of life in August 2015, and users are strongly advised to upgrade to Log4j 2, which addresses this and other significant issues.
Organizations must prioritize patching immediately to mitigate the risks associated with this vulnerability. Failure to do so could expose systems to significant security threats, including unauthorized access to sensitive data and potential data breaches.
Exploitation status indicates that this vulnerability is known to have public proofs of concept available. Although it is not actively exploited according to the KEV catalog, organizations should remain vigilant and apply necessary patches as part of their security practices.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)