What is CVE-2022-23302?

CVE-2022-23302 is a high-severity vulnerability in Apache Log4j, classified under Deserialization of Untrusted Data. CVSS score: 8.8/10. Published 2022-01-18.

How severe is CVE-2022-23302?

High severity. CVSS v3 base score is 8.8 out of 10.

Is CVE-2022-23302 known to be exploited?

18 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Apache Log4j

CVE-2022-23302

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attack…

Vulnerability class: Insecure Deserialization

EPSS: 0.008 (74.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Apache Log4j
Apache Software Foundation Log4j 1.x — versions 1.0.1, unspecified
Broadcom Brocade_sannav
Netapp Snapmanager
Oracle Advanced_supply_chain_planning — versions 12.1, 12.2
Oracle Business_intelligence — versions 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0
Oracle Business_process_management_suite — versions 12.2.1.3.0, 12.2.1.4.0
Oracle Communications_eagle_ftp_table_base_retrieval — versions 4.5
Oracle Communications_instant_messaging_server — versions 10.0.1.5.0
Oracle Communications_messaging_server — versions 8.1

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

References

security@apache.org (Mailing List, x_refsource_MISC, Mitigation, Vendor Advisory)
security@apache.org (x_refsource_MISC, Vendor Advisory)
security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
security@apache.org (Patch, Third Party Advisory, x_refsource_MISC)
security@apache.org (x_refsource_CONFIRM, Third Party Advisory)
security@apache.org (Patch, Third Party Advisory, x_refsource_MISC)
af854a3a-2127-422b-91ae-364da2661108
af854a3a-2127-422b-91ae-364da2661108

Frequently asked questions

What is CVE-2022-23302?: CVE-2022-23302 is a high-severity vulnerability in Apache Log4j, classified under Deserialization of Untrusted Data. CVSS score: 8.8/10. Published 2022-01-18.
How severe is CVE-2022-23302?: High severity. CVSS v3 base score is 8.8 out of 10.
Is CVE-2022-23302 known to be exploited?: 18 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.