Forum Discussion

snarang's avatar
snarang
Product Team
4 years ago

Apache Announces Several CVEs in Apache Log4j 1.x, Urges...

Apache Announces Several CVEs in Apache Log4j 1.x, Urges Upgrading to Log4j 2.x On January 18, Apache announced several new vulnerabilities in Apache Log4j 1.x. CVE - Affected Component [Severity] ...
Cyber Exposure Alerts
jones_bryan's avatar
jones_bryan
Connect Contributor III
4 years ago

@Satnam Narang​ Are there any articles that explain how the plugin (156860) for CVE-2022-23302 works? Since there are several CVE's tied to the same plugin how do we know which CVE it is flagging for? For CVE-2022-23302 it is my understanding that it is not a default config that makes you vulnerable. Does that plugin just assume that since you are on version 1.x you are vulnerable or does it actually check for the presence of the vulnerable config within the 1.x version (e.g. does it actually look for JMSSink )?

  • snarang's avatar
    snarang
    Product Team
    4 years ago

    Hi @Bryan Jones​ there are details within the plugin description page itself (https://www.tenable.com/plugins/nessus/156860) which says that "According to its self-reported version number, the installation of Apache Log4j on the remote host is 1.x and is no longer supported." Therefore, this plugin is looking at the self-reported version number and would fire irrespective of any configuration requirements because there will be no patch for Log4j 1.x.