CVE-2022-23305
📋 TL;DR
CVE-2022-23305 is an SQL injection vulnerability in Log4j 1.2.x's JDBCAppender that allows attackers to execute arbitrary SQL queries by injecting malicious strings into application inputs that get logged. This affects applications using Log4j 1.2.x with JDBCAppender specifically configured, though this is not the default configuration. Log4j 1.x reached end-of-life in 2015, so affected systems are running outdated software.
💻 Affected Systems
- Apache Log4j
📦 What is this software?
Business Process Management Suite by Oracle
Business Process Management Suite by Oracle
Communications Eagle Ftp Table Base Retrieval by Oracle
View all CVEs affecting Communications Eagle Ftp Table Base Retrieval →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Communications Network Integrity by Oracle
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
E Business Suite Cloud Manager And Cloud Backup Module by Oracle
View all CVEs affecting E Business Suite Cloud Manager And Cloud Backup Module →
E Business Suite Cloud Manager And Cloud Backup Module by Oracle
View all CVEs affecting E Business Suite Cloud Manager And Cloud Backup Module →
E Business Suite Information Discovery by Oracle
View all CVEs affecting E Business Suite Information Discovery →
Enterprise Manager Base Platform by Oracle
Enterprise Manager Base Platform by Oracle
Financial Services Revenue Management And Billing Analytics by Oracle
View all CVEs affecting Financial Services Revenue Management And Billing Analytics →
Financial Services Revenue Management And Billing Analytics by Oracle
View all CVEs affecting Financial Services Revenue Management And Billing Analytics →
Financial Services Revenue Management And Billing Analytics by Oracle
View all CVEs affecting Financial Services Revenue Management And Billing Analytics →
Hyperion Data Relationship Management by Oracle
View all CVEs affecting Hyperion Data Relationship Management →
Hyperion Infrastructure Technology by Oracle
View all CVEs affecting Hyperion Infrastructure Technology →
Log4j by Apache
Middleware Common Libraries And Tools by Oracle
View all CVEs affecting Middleware Common Libraries And Tools →
Retail Extract Transform And Load by Oracle
Tuxedo by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data destruction, privilege escalation, and potential remote code execution through database functions.
Likely Case
Data exfiltration, database manipulation, or denial of service through SQL injection attacks.
If Mitigated
Limited impact if proper input validation, parameterized queries, and network segmentation are implemented.
🎯 Exploit Status
Exploitation requires the application to log user-controlled input and use JDBCAppender with PatternLayout containing %m converter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://logging.apache.org/log4j/1.2/index.html
Restart Required: Yes
Instructions:
1. Upgrade to Log4j 2.x (version 2.0-beta8 or later). 2. Remove JDBCAppender configuration from Log4j 1.x if upgrading is not immediately possible. 3. Test the upgrade in a non-production environment first.
🔧 Temporary Workarounds
Disable JDBCAppender
allRemove or disable JDBCAppender configuration from log4j.properties or log4j.xml files
# Edit log4j configuration files and remove JDBCAppender entries
# Example: Remove lines containing 'log4j.appender.JDBC' or similar
Implement Input Validation
allAdd strict input validation and sanitization for all user inputs that get logged
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems from critical databases
- Deploy web application firewall (WAF) with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check log4j configuration files for JDBCAppender usage and verify Log4j version is 1.2.xCheck Version:
Check application dependencies or classpath for log4j-1.2.x.jar filesVerify Fix Applied:
Confirm Log4j version is 2.0-beta8 or later, or verify JDBCAppender is removed from configuration📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs from application servers
- SQL syntax errors in application logs
Network Indicators:
- Unusual database connections from application servers
- SQL injection patterns in HTTP requests
SIEM Query:
source="database_logs" AND (sql_injection_keywords OR unusual_query_patterns)🔗 References
- http://www.openwall.com/lists/oss-security/2022/01/18/4
- https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y
- https://logging.apache.org/log4j/1.2/index.html
- https://security.netapp.com/advisory/ntap-20220217-0007/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://www.openwall.com/lists/oss-security/2022/01/18/4
- https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y
- https://logging.apache.org/log4j/1.2/index.html
- https://security.netapp.com/advisory/ntap-20220217-0007/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
