Apache Log4j is used by IBM Sterling Connect:Direct Web Services as part of its logging infrastructure. JDBCAppender in Apache Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The fix includes Apache Log4j 2.17.1.
CVEID:CVE-2022-23305
**DESCRIPTION:**Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Sterling Connect:Direct Web Services | 1.0 |
IBM Sterling Connect:Direct Web Services | 6.0 |
Product(s)|Version(s)|**Remediation/Fix
**
β|β|β
IBM Sterling Connect:Direct Web Services| 1.0, 6.0| Apply 6.0.0.6, available on Fix Central
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm connect:direct web services | eq | 6.0 |