RHSA-2022:0442: Important: log4j security update
First published: Mon Feb 07 2022(Updated: )
Log4j is a tool to help the programmer output log statements to a variety of output targets.<br>Security Fix(es):<br><li> log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)</li> <li> log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)</li> <li> log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/log4j | <1.2.17-18.el7_4 | 1.2.17-18.el7_4 |
| redhat/log4j | <1.2.17-18.el7_4 | 1.2.17-18.el7_4 |
| redhat/log4j-javadoc | <1.2.17-18.el7_4 | 1.2.17-18.el7_4 |
| redhat/log4j-manual | <1.2.17-18.el7_4 | 1.2.17-18.el7_4 |
| redhat/log4j | <1.2.17-17.el7_3 | 1.2.17-17.el7_3 |
| redhat/log4j | <1.2.17-17.el7_3 | 1.2.17-17.el7_3 |
| redhat/log4j-javadoc | <1.2.17-17.el7_3 | 1.2.17-17.el7_3 |
| redhat/log4j-manual | <1.2.17-17.el7_3 | 1.2.17-17.el7_3 |
| redhat/log4j | <1.2.14-6.6.el6_10 | 1.2.14-6.6.el6_10 |
| redhat/log4j | <1.2.14-6.6.el6_10 | 1.2.14-6.6.el6_10 |
| redhat/log4j-debuginfo | <1.2.14-6.6.el6_10 | 1.2.14-6.6.el6_10 |
| redhat/log4j-javadoc | <1.2.14-6.6.el6_10 | 1.2.14-6.6.el6_10 |
| redhat/log4j-manual | <1.2.14-6.6.el6_10 | 1.2.14-6.6.el6_10 |
| redhat/log4j-debuginfo | <1.2.14-6.6.el6_10 | 1.2.14-6.6.el6_10 |
| redhat/log4j-javadoc | <1.2.14-6.6.el6_10 | 1.2.14-6.6.el6_10 |
| redhat/log4j-manual | <1.2.14-6.6.el6_10 | 1.2.14-6.6.el6_10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of RHSA-2022:0442?
The severity of RHSA-2022:0442 is high due to the vulnerabilities in Log4j that can lead to SQL injection and unsafe deserialization.
How do I fix RHSA-2022:0442?
To fix RHSA-2022:0442, you should update Log4j to version 1.2.17-18.el7_4 or later, depending on your current version.
What vulnerabilities are addressed in RHSA-2022:0442?
RHSA-2022:0442 addresses SQL injection vulnerabilities and an unsafe deserialization flaw in Log4j.
Which versions of Log4j are affected by RHSA-2022:0442?
Versions of Log4j prior to 1.2.17-17.el7_3 are affected by RHSA-2022:0442.
Is RHSA-2022:0442 a critical vulnerability?
Yes, RHSA-2022:0442 is considered critical due to the potential for exploitation in applications using Log4j.
- agent/severity
- agent/type
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/title
- agent/weakness
- agent/description
- agent/references
- agent/tags
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2022:0442
- agent/software-canonical-lookup
- agent/remedy
- agent/event
- agent/source
- package-manager/redhat