Cyber Resilience

CVE-2022-23305

CriticalUpdated

Published: 18 January 2022

Published
18 January 2022
Modified
27 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0945 93.0th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23305 is a critical-severity SQL Injection (CWE-89) vulnerability in Oracle Business Intelligence. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a SQL injection flaw (CWE-89) in the JDBCAppender component of Apache Log4j 1.2.x. By design, the appender accepts an SQL statement containing PatternLayout converters such as %m as a configuration parameter; when an application logs attacker-controlled data from inputs or headers, the converter values are inserted directly into the query without parameterization. The issue is present only when JDBCAppender is explicitly configured, which is not the default, and Log4j 1.2 reached end-of-life in August 2015.

An unauthenticated remote attacker can supply crafted strings through any application input that is subsequently logged, causing the JDBCAppender to execute arbitrary SQL statements against the configured database. Successful exploitation can result in full read, write, or delete access to database contents, corresponding to the CVSS 9.8 rating.

Advisories from Apache, Oracle, and NetApp state that users should migrate to Log4j 2, which re-introduced the JDBCAppender in 2.0-beta8 with support for parameterized SQL and column-level customization. The references further note that Log4j 1.2 is unsupported and that organizations still running the 1.x line should treat any JDBCAppender configuration as requiring immediate remediation.

EPSS currently stands at 0.0945 after peaking at 0.1156.

EU & UK References

Vulnerability details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate…

more

the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
log4j
1.2 — 1.2.17
netapp
snapmanager
all versions
broadcom
brocade sannav
all versions
qos
reload4j
≤ 1.2.18.2
oracle
advanced supply chain planning
12.1, 12.2
oracle
business intelligence
12.2.1.3.0, 12.2.1.4.0, 5.9.0.0.0
oracle
business process management suite
12.2.1.3.0, 12.2.1.4.0
oracle
communications eagle ftp table base retrieval
4.5
oracle
communications instant messaging server
10.0.1.5.0
oracle
communications messaging server
8.1
+18 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References