HomeVulnerabilitiesCVE-2022-23305
Critical Risk Disclosed

CVE-2022-23305

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Share this vulnerability:

Exploitation Probability (EPSS)

Low Priority
7.95%

The Exploit Prediction Scoring System (EPSS) uses machine learning to estimate the probability that a vulnerability will be exploited in the wild within the next 30 days.

0% (Theoretical)100% (Certainty)

7-Day Exploitation Trend

Vulnerability Timeline

4 events
Jan 18, 2022
Vulnerability Disclosed
Published to component-level vulnerability database.
Feb 24, 2023
Last Updated
Record updated with new analysis or tags.
Nov 19, 2025
EPSS Score Increased
Daily EPSS score increased by 0.586 on 2023-12-30
Nov 22, 2025
EPSS Score Decreased
Daily EPSS score decreased by 0.594 on 2023-12-30

Threat Actor Attribution

PREMIUM INTEL
Associated Groups:Lazarus Group, APT28
Ransomware Campaigns:LockBit 3.0, BlackCat
IoCs (Indicators):14 IPs, 3 Hashes

Remediation & Mitigation

SOLUTION

Official patches and mitigation steps are available for this vulnerability.

# Update Command
apt-get update && apt-get upgrade -y specific-package
# Verify installation
dpkg -l | grep package-name

Affected Products

41 Total
apache/log4jAll Versions
netapp/snapmanager-
broadcom/brocade_sannav-
qos/reload4jAll Versions
oracle/advanced_supply_chain_planning12.1

References

http://www.openwall.com/lists/oss-security/2022/01/18/4Openwall
Mailing ListThird Party Advisory
https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85yApache
Issue TrackingMailing ListVendor Advisory
https://logging.apache.org/log4j/1.2/index.htmlApache
Vendor Advisory
https://security.netapp.com/advisory/ntap-20220217-0007/Netapp
Third Party Advisory

Am I Vulnerable?

Check your domain or package.json for CVE-2022-23305 exposure.

Share This Page

Help others discover this vulnerability information

Vulnerability Details

CVSS Base Score
9.8/ 10
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published Date
Jan 18, 2022
Last Modified
Feb 24, 2023
Need API Access?

Integrate this data into your SOAR platform.

View Plans →
Need Manual Validation?

Automated scanners flag false positives. Get a manual pentest validation for this CVE.