{"id":"USN-5998-1","summary":"apache-log4j1.2 vulnerabilities","details":"It was discovered that the SocketServer component of Apache Log4j 1.2\nincorrectly handled deserialization. An attacker could possibly use this issue\nto execute arbitrary code. This issue only affected Ubuntu 16.04 ESM.\n(CVE-2019-17571)\n\nIt was discovered that the JMSSink component of Apache Log4j 1.2 incorrectly\nhandled deserialization. An attacker could possibly use this issue to execute\narbitrary code. (CVE-2022-23302)\n\nIt was discovered that Apache Log4j 1.2 incorrectly handled certain SQL\nstatements. A remote attacker could possibly use this issue to perform an SQL\ninjection attack and alter the database. This issue was only fixed in Ubuntu\n18.04 LTS and Ubuntu 20.04 LTS. (CVE-2022-23305)\n\nIt was discovered that the Chainsaw component of Apache Log4j 1.2 incorrectly\nhandled deserialization. An attacker could possibly use this issue to execute\narbitrary code. This issue was only fixed in Ubuntu 18.04 LTS and Ubuntu 20.04\nLTS. (CVE-2022-23307)\n","modified":"2026-02-10T04:43:03Z","published":"2023-04-05T21:26:34Z","related":["UBUNTU-CVE-2019-17571","UBUNTU-CVE-2022-23302","UBUNTU-CVE-2022-23305","UBUNTU-CVE-2022-23307"],"upstream":["CVE-2019-17571","CVE-2022-23302","CVE-2022-23305","CVE-2022-23307","UBUNTU-CVE-2019-17571","UBUNTU-CVE-2022-23302","UBUNTU-CVE-2022-23305","UBUNTU-CVE-2022-23307"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5998-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-17571"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-23302"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-23305"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-23307"}],"affected":[{"package":{"name":"apache-log4j1.2","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/apache-log4j1.2@1.2.17-7ubuntu1+esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.17-7ubuntu1+esm1"}]}],"versions":["1.2.17-6ubuntu1","1.2.17-7ubuntu1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1.2.17-7ubuntu1+esm1","binary_name":"liblog4j1.2-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5998-1.json","cves_map":{"cves":[{"id":"CVE-2019-17571","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2022-23302","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2022-23305","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2022-23307","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}},{"package":{"name":"apache-log4j1.2","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/apache-log4j1.2@1.2.17-8+deb10u1ubuntu0.2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.17-8+deb10u1ubuntu0.2"}]}],"versions":["1.2.17-7ubuntu2","1.2.17-8","1.2.17-8+deb10u1build0.18.04.1","1.2.17-8+deb10u1ubuntu0.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.2.17-8+deb10u1ubuntu0.2","binary_name":"liblog4j1.2-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5998-1.json","cves_map":{"cves":[{"id":"CVE-2022-23302","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2022-23305","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2022-23307","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:18.04:LTS"}}},{"package":{"name":"apache-log4j1.2","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/apache-log4j1.2@1.2.17-9ubuntu0.2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.17-9ubuntu0.2"}]}],"versions":["1.2.17-8","1.2.17-9","1.2.17-9ubuntu0.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.2.17-9ubuntu0.2","binary_name":"liblog4j1.2-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5998-1.json","cves_map":{"cves":[{"id":"CVE-2022-23302","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2022-23305","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2022-23307","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:20.04:LTS"}}}],"schema_version":"1.7.3"}