CVE: 2022-23302 found in Apache Log4j - Version: 1.2.17 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Apache Log4j
Description	Apache Log4j 1.2
Language	JAVA
Vulnerability	Deserialisation Of Untrusted Object
Vulnerability description	JMSSink in log4j is vulnerable to deserialization of untrusted object. The insecure use of JNDI in JMSSink allows an attacker to send malicious object in LDAP store if it is accessible by an attacker or is configured to use an untrusted site, leading to a remote code execution. Note: this vulnerability only affects the applications specifically configured to use JMSSink, which is not the default.
CVE	2022-23302
CVSS score	6
Vulnerability present in version/s	1.1.3-1.2.17
Found library version/s	1.2.17
Vulnerability fixed in version
Library latest version	1.2.17
Fix	No fix is released. Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations.

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/163?version=1.2.17
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/33763
• Patch:

[github-actions[bot]]

Veracode issue link to PR: https://github.com/5l1D3R/Github-actions/pull/2