Apache Log4j 1.x Multiple Vulnerabilities

critical Nessus Plugin ID 156860

Synopsis

A logging library running on the remote host has multiple vulnerabilities.

Description

According to its self-reported version number, the installation of Apache Log4j on the remote host is 1.x and is no longer supported. Log4j reached its end of life prior to 2016. Additionally, Log4j 1.x is affected by multiple vulnerabilities, including :

- Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be exploited. (CVE-2019-17571)

- Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. (CVE-2020-9488)

- JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker.
(CVE-2022-23302)

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.

Solution

Upgrade to a version of Apache Log4j that is currently supported.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest versions.

See Also

https://logging.apache.org/log4j/1.2/

Plugin Details

Severity: Critical

ID: 156860

File Name: apache_log4j_1_x_multiple_vulnerabilities.nasl

Version: 1.6

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 1/19/2022

Updated: 5/6/2022

Supported Sensors: Nessus Agent

Risk Information

CVSS Score Source: CVE-2022-23307

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:log4j

Required KB Items: installed_sw/Apache Log4j

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/20/2019

Reference Information

CVE: CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307