What is CVE-2023-26464?

CVE-2023-26464 is a vulnerability that affects the Chainsaw or SocketAppender components in Log4j 1.x, allowing an attacker to cause a logging entry involving a specially-crafted hashmap or hashtable to be executed.

What software is affected by CVE-2023-26464?

The Log4j 1.x version up to and including 1.0.4, and Log4j 2.0.0 are affected by CVE-2023-26464.

How severe is CVE-2023-26464?

CVE-2023-26464 has a severity rating of 7.5 (High).

How can I fix CVE-2023-26464?

To fix CVE-2023-26464, upgrade to Log4j version 2.0.0 or above.

Where can I find more information about CVE-2023-26464?

You can find more information about CVE-2023-26464 on the NIST National Vulnerability Database (NVD) and Apache mailing lists.

Vulnerability/
CVE-2023-26464

high

7.5

CWE

502

10/3/2023

17/3/2024

CVE-2023-26464

First published: Fri Mar 10 2023(Updated: )

** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Credit: security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
Apache Log4j	>=1.0.4<2.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-26464?
CVE-2023-26464 is a vulnerability that affects the Chainsaw or SocketAppender components in Log4j 1.x, allowing an attacker to cause a logging entry involving a specially-crafted hashmap or hashtable to be executed.
What software is affected by CVE-2023-26464?
The Log4j 1.x version up to and including 1.0.4, and Log4j 2.0.0 are affected by CVE-2023-26464.
How severe is CVE-2023-26464?
CVE-2023-26464 has a severity rating of 7.5 (High).
How can I fix CVE-2023-26464?
To fix CVE-2023-26464, upgrade to Log4j version 2.0.0 or above.
Where can I find more information about CVE-2023-26464?
You can find more information about CVE-2023-26464 on the NIST National Vulnerability Database (NVD) and Apache mailing lists.

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/github-advisory
alias/GHSA-vp98-w2p3-mv35
alias/CVE-2023-26464
collector/github-advisory-latest
collector/nvd-cve
collector/nvd-index
collector/redhat-bugzilla
source/Red Hat
package-manager/maven
vendor/apache
canonical/apache log4j
version/apache log4j/1.0.4

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.