CVE-2022-23305
Published: 18 January 2022
Summary
CVE-2022-23305 is a critical-severity SQL Injection (CWE-89) vulnerability in Oracle Business Intelligence. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a SQL injection flaw (CWE-89) in the JDBCAppender component of Apache Log4j 1.2.x. By design, the appender accepts an SQL statement containing PatternLayout converters such as %m as a configuration parameter; when an application logs attacker-controlled data from inputs or headers, the converter values are inserted directly into the query without parameterization. The issue is present only when JDBCAppender is explicitly configured, which is not the default, and Log4j 1.2 reached end-of-life in August 2015.
An unauthenticated remote attacker can supply crafted strings through any application input that is subsequently logged, causing the JDBCAppender to execute arbitrary SQL statements against the configured database. Successful exploitation can result in full read, write, or delete access to database contents, corresponding to the CVSS 9.8 rating.
Advisories from Apache, Oracle, and NetApp state that users should migrate to Log4j 2, which re-introduced the JDBCAppender in 2.0-beta8 with support for parameterized SQL and column-level customization. The references further note that Log4j 1.2 is unsupported and that organizations still running the 1.x line should treat any JDBCAppender configuration as requiring immediate remediation.
EPSS currently stands at 0.0945 after peaking at 0.1156.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0477
Vulnerability details
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate…
more
the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.