Forum Discussion
Apache Announces Several CVEs in Apache Log4j 1.x, Urges...
Apache Announces Several CVEs in Apache Log4j 1.x, Urges Upgrading to Log4j 2.x
On January 18, Apache announced several new vulnerabilities in Apache Log4j 1.x.
CVE - Affected Component [Severity]
- CVE-2020-9488 - SMTPAppender [Moderate]
- CVE-2022-23302 - JMSSink [High]
- CVE-2022-23305 - JDBCAppender [High]
- CVE-2022-23307 - Chainsaw [Critical]
While Apache lists CVE-2021-4104 on this page, it was already disclosed in a December update. Additionally, CVE-2019-17571 was previously disclosed prior to the January 18 update.
Since Apache Log4j 1.x has reached end of life (EOL) status, it will not receive security updates. Apache is strongly encouraging users to upgrade to Log4j 2.x to address these and the other vulnerabilities in Log4j that have been disclosed over the last month.
The following is a summary of our Log4j 1.x coverage.
Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104) (156103)
- CVEs: CVE-2021-4104
Apache Log4j 1.x Multiple Vulnerabilities (156860)
- CVEs: CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23307
- Plugin ID 156860 has been developed and will be available later tonight
Apache Log4j Unsupported Version Detection (156032)
As mentioned previously, CVE-2021-4104 was disclosed in December, and Tenable released plugin ID 156103 to identify vulnerable assets. We’ve also released plugin ID 156032, an Unsupported Version Detection plugin for Log4j 1.x.
A new plugin, plugin ID 156860 has been developed for the newly disclosed CVEs as well as CVE-2019-17571 and should be available to customers later tonight.
6 Replies
Hello, to check for this CVE. Does thorough scan need to be enabled like the previous critical one?
@Satnam Narang Are there any articles that explain how the plugin (156860) for CVE-2022-23302 works? Since there are several CVE's tied to the same plugin how do we know which CVE it is flagging for? For CVE-2022-23302 it is my understanding that it is not a default config that makes you vulnerable. Does that plugin just assume that since you are on version 1.x you are vulnerable or does it actually check for the presence of the vulnerable config within the 1.x version (e.g. does it actually look for JMSSink )?
Hi @Bryan Jones there are details within the plugin description page itself (https://www.tenable.com/plugins/nessus/156860) which says that "According to its self-reported version number, the installation of Apache Log4j on the remote host is 1.x and is no longer supported." Therefore, this plugin is looking at the self-reported version number and would fire irrespective of any configuration requirements because there will be no patch for Log4j 1.x.
Thanks for clarification.
