CVE-2023-26464: Apache Log4j 1.x (EOL) allows DoS in Chainsaw and SocketAppender
First published: Fri Mar 10 2023(Updated: )
** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Log4j | >=1.0.4<2.0 | |
| maven/org.apache.logging.log4j:log4j-core | >=1.0.4<2.0 | 2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-26464
- https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t
- https://security.netapp.com/advisory/ntap-20230505-0008/
- https://github.com/advisories/GHSA-vp98-w2p3-mv35 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182893
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182903
- https://access.redhat.com/errata/RHSA-2023:3663
- https://access.redhat.com/security/cve/cve-2023-26464
- https://access.redhat.com/errata/RHSA-2023:5488
- https://access.redhat.com/errata/RHSA-2023:5484
- https://access.redhat.com/errata/RHSA-2023:5485
- https://access.redhat.com/errata/RHSA-2023:5486
- https://bugzilla.redhat.com/show_bug.cgi?id=2182864
- https://security.netapp.com/advisory/ntap-20230505-0008
Frequently Asked Questions
What is CVE-2023-26464?
CVE-2023-26464 is a vulnerability that affects the Chainsaw or SocketAppender components in Log4j 1.x, allowing an attacker to cause a logging entry involving a specially-crafted hashmap or hashtable to be executed.
What software is affected by CVE-2023-26464?
The Log4j 1.x version up to and including 1.0.4, and Log4j 2.0.0 are affected by CVE-2023-26464.
How severe is CVE-2023-26464?
CVE-2023-26464 has a severity rating of 7.5 (High).
How can I fix CVE-2023-26464?
To fix CVE-2023-26464, upgrade to Log4j version 2.0.0 or above.
Where can I find more information about CVE-2023-26464?
You can find more information about CVE-2023-26464 on the NIST National Vulnerability Database (NVD) and Apache mailing lists.
- collector/nvd-index
- agent/author
- agent/type
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-26464
- agent/description
- agent/title
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vp98-w2p3-mv35
- agent/software-canonical-lookup
- agent/references
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/tags
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- vendor/apache
- canonical/apache log4j
- version/apache log4j/1.0.4
- package-manager/maven