Hi,
Would you consider marking CVE-2022-23302 as DISPUTED and/or "Unsupported When
Assigned"?
Rationale:
One could argue (philosophically and practically) that this is *not* a
vulnerability, or if it is, then many, many other programs are similarly
vulnerable. The conditions of an attacker having write access to the
configuration file or controlling the remote LDAP service seem beyond the scope
of Log4j's security responsibility.
Allowing user or anonymous write access to configuration files *is* generally
considered to be a vulnerability, and any number of attacks might be possible
when communicating with a malicious service.
Apache Log4j 1.x is not supported and will not be receiving security fixes:
https://cve.mitre.org/cve/cna/CVE_Program_End_of_Life_EOL_Assignment_Process.html
I believe the process is to prefix the CVE description with "** UNSUPPORTED WHEN ASSIGNED
**" and also "** DISPUTED **".
All Apache Log4j 1.x CVE IDs should be marked "** UNSUPPORTED WHEN ASSIGNED **." I
believe there are a few others that have the "write access to config file or control remote
service" preconditions but am still reviewing.
Regards,
- Art
On 2022/01/18 14:42:17 Ralph Goers wrote:
Severity: high
Description:
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104.
Note this issue only affects Log4j 1.x when specifically configured to use
JMSSink, which is not the default.
Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to
Log4j 2 as it addresses numerous other issues from the previous versions.
Mitigation:
Users should upgrade to Log4j 2 or remove usage of the JMSSink from their
configurations.
Credit:
Eduardo' Vela, Maksim Shudrak and Jacob Butler from Google.
