JMSSink in log4j is vulnerable to deserialization of untrusted object. The insecure use of JNDI in JMSSink allows an attacker to send malicious object in LDAP store if it is accessible by an attacker or is configured to use an untrusted site, leading to a remote code execution. Note: this vulnerability only affects the applications specifically configured to use JMSSink, which is not the default.
CVE
2022-23302
CVSS score
6
Vulnerability present in version/s
1.1.3-1.2.17
Found library version/s
1.2.17
Vulnerability fixed in version
Library latest version
1.2.17
Fix
No fix is released. Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations.
Veracode Software Composition Analysis
Links: