1) CVE-2022-23302: A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.
Note this flaw ONLY affects applications that are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker's JNDI LDAP endpoint.
Automic components are not affected by this vulnerability as JMSSink is not enabled on them.
2) CVE-2022-23305: A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.
Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
Automic components are not affected by this vulnerability as does not make any usage of JDBCAppender.
3) CVE-2022-23307: A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.
Chainsaw is a standalone graphical user interface for viewing log entries in log4j. Note this issue only affects when Chainsaw is configured to read serialized log events.
Chainsaw is not configured on Automic components to read serialized log events.
Release : All versions
Component : All Automic Components using log4j 1.x
Log4J 1.x vulnerabilities: CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307
We have completed the verification and were able to conclude that Automic Components using log4j 1.x are not impacted by these vulnerabilities.
As these vulnerabilities are affected only when they are configured explicitly in your system, we recommend you to audit your logging configuration to ensure it has no JMSSink, JDBCAppender, and Chainsaw configured. Log4j 1.x configurations without these are not impacted by the above vulnerabilities. If further mitigation is required, the below options are also available.
These are the possible mitigations for these flaws for releases version 1.x:
- Comment out or remove JMSSink in the Log4j configuration if it is used
- Remove the JMSSink class from the server's jar files. For example:
zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class
- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.
- Comment out or remove JDBCAppender in the Log4j configuration if it is used
- Remove the JDBCAppender class from the server's jar files. For example:
zip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class
- Avoid using Chainsaw to view logs (if you are using), and instead use some other utility.
- Remove the Chainsaw classes from the log4j jar files. For example:
zip -q -d log4j-*.jar org/apache/log4j/chainsaw/*