CVE-2022-23302 in Log4jinfo

Summary

by MITRE • 01/18/2022

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/26/2026

The vulnerability identified as CVE-2022-23302 represents a critical deserialization flaw within the JMSSink component of Apache Log4j 1.x versions, specifically exploiting weaknesses in the Java Naming and Directory Interface (JNDI) lookup mechanism. This vulnerability operates under the premise that an attacker must possess either write access to the Log4j configuration files or control over an LDAP service that the configuration references, creating a privilege escalation pathway that ultimately leads to remote code execution. The flaw is categorized under CWE-502, which specifically addresses deserialization of untrusted data, making it a direct descendant of well-known exploitation patterns that have plagued Java applications for years. The vulnerability's operational context is particularly concerning because it requires specific configuration conditions to be exploited, yet when these conditions are met, the attack surface becomes extremely dangerous.

The technical mechanism behind this vulnerability involves the JMSSink component's handling of TopicConnectionFactoryBindingName configuration parameters, which when improperly controlled, trigger JNDI lookup requests that can be manipulated by attackers to execute arbitrary code on the target system. This exploitation pattern mirrors the methodology used in CVE-2021-4104, demonstrating how similar architectural flaws in JNDI handling can create persistent security risks across different versions of the same software stack. The attack vector leverages the inherent trust placed in configuration data, where the application's deserialization process does not properly validate or sanitize the input received from the JNDI service, allowing malicious payloads to be executed with the privileges of the running application. The vulnerability is particularly insidious because it operates within the context of a system that has already been compromised through configuration manipulation, making it difficult to detect and isolate from other potential attack vectors.

The operational impact of CVE-2022-23302 extends beyond simple remote code execution, as it provides attackers with the capability to establish persistent access to affected systems while potentially escalating privileges through the application's execution context. The vulnerability affects systems that have explicitly configured Log4j 1.x to use JMSSink functionality, which is not the default configuration, making it less likely to be encountered in production environments but still potentially dangerous when present. Organizations running legacy systems that have not migrated from Log4j 1.x face significant risk, as the end-of-life status of this version means no further security updates or patches will be provided by Apache. The attack's reliance on specific configuration conditions creates a complex remediation landscape where simple patching may not be sufficient, requiring comprehensive configuration reviews and potentially complete migration to newer software versions.

Mitigation strategies for CVE-2022-23302 must address both immediate configuration hardening and long-term architectural improvements. The most effective immediate solution involves ensuring that no write access exists for untrusted users to Log4j configuration files, while also implementing network segmentation to prevent unauthorized access to LDAP services that might be referenced in the configuration. Organizations should also consider implementing strict JNDI lookup restrictions and validating all external references before they are processed by the application. The ATT&CK framework categorizes this vulnerability under T1059.007 for remote code execution and T1566.001 for malicious file execution, emphasizing the multi-stage nature of the attack that begins with configuration compromise and culminates in system compromise. Given that Log4j 1.x reached end-of-life in August 2015, the recommended long-term solution is migration to Log4j 2.x, which includes comprehensive protections against similar deserialization attacks and addresses numerous other security weaknesses present in the legacy version. This migration should be prioritized as part of broader application security modernization efforts, particularly for systems that continue to operate with legacy software components.

Reservation

01/16/2022

Disclosure

01/18/2022

Moderation

accepted

CPE

ready

EPSS

0.61785

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!