Forum Discussion

Product Team

4 years ago

Apache Announces Several CVEs in Apache Log4j 1.x, Urges...

Apache Announces Several CVEs in Apache Log4j 1.x, Urges Upgrading to Log4j 2.x On January 18, Apache announced several new vulnerabilities in Apache Log4j 1.x. CVE - Affected Component [Severity] ...

Cyber Exposure Alerts

jones_bryan

Connect Contributor III

4 years ago

@Satnam Narang Are there any articles that explain how the plugin (156860) for CVE-2022-23302 works? Since there are several CVE's tied to the same plugin how do we know which CVE it is flagging for? For CVE-2022-23302 it is my understanding that it is not a default config that makes you vulnerable. Does that plugin just assume that since you are on version 1.x you are vulnerable or does it actually check for the presence of the vulnerable config within the 1.x version (e.g. does it actually look for JMSSink )?

snarang

Product Team

4 years ago

Hi @Bryan Jones there are details within the plugin description page itself (https://www.tenable.com/plugins/nessus/156860) which says that "According to its self-reported version number, the installation of Apache Log4j on the remote host is 1.x and is no longer supported." Therefore, this plugin is looking at the self-reported version number and would fire irrespective of any configuration requirements because there will be no patch for Log4j 1.x.

Forum Discussion

Apache Announces Several CVEs in Apache Log4j 1.x, Urges...

Recent Discussions

Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)

Dirty Frag (CVE-2026-43284, CVE-2026-43500): FAQs about this Linux kernel LPE vulnerability chain

FAQ on Copy Fail Linux Kernel Privilege Escalation (CVE-2026-31431)

Oracle April 2026 Critical Patch Update Addresses 241 CVEs

Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201)

Americas

Europe

Asia / Australia