| Description: | Summary:
The ilServer Java component of ILIAS is using a version of the
Apache Log4j library which is prone to multiple vulnerabilities.
Vulnerability Insight:
The following flaws exist in the Log4j library used by the
ilServer component:
- CVE-2019-17571 is a high severity issue targeting the SocketServer. Log4j includes a
SocketServer that accepts serialized log events and deserializes them without verifying whether
the objects are allowed or not. This can provide an attack vector that can be exploited.
- CVE-2020-9488 is a moderate severity issue with the SMTPAppender. Improper validation of
certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection
to be intercepted by a man-in-the-middle attack which could leak any log messages sent through
that appender.
- CVE-2021-4104 is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses
JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if
it is configured to reference an untrusted site or if the site referenced can be accesseed by the
attacker. For example, the attacker can cause remote code execution by manipulating the data in
the LDAP store.
- CVE-2022-23302 is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in
an unprotected manner allowing any application using the JMSSink to be vulnerable if it is
configured to reference an untrusted site or if the site referenced can be accesseed by the
attacker. For example, the attacker can cause remote code execution by manipulating the data in
the LDAP store.
- CVE-2022-23305 is a high severity SQL injection flaw in JDBCAppender that allows the data being
logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts
an SQL statement as a configuration parameter where the values to be inserted are converters from
PatternLayout. The message converter, %m, is likely to always be included. This allows attackers
to manipulate the SQL by entering crafted strings into input fields or headers of an application
that are logged allowing unintended SQL queries to be executed.
- CVE-2022-23307 is a critical severity against the chainsaw component in Log4j 1.x. This is the
same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of
Log4j 1.2.x.
Affected Software/OS:
The ilServer Java component in ILIAS versions prior to 5.4.26,
6.x prior to 6.14 and 7.x prior to 7.5.
Solution:
Update to version 5.4.26, 6.14, 7.5 or later.
These releases updated the Log4j version used in the ilServer component from the end-of-life
version 1.2.15 to 2.16.0 (for ILIAS version 6.14 and 7.5) or 2.17.0 (for ILIAS version 5.4.26).
CVSS Score:
9.0
CVSS Vector:
AV:N/AC:L/Au:S/C:C/I:C/A:C
|
