9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.976 High
EPSS
Percentile
100.0%
The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2905 advisory.
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2021-4104)
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2022-23302)
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2022-23305)
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. (CVE-2022-23307)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-2905. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(157261);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/17");
script_cve_id(
"CVE-2021-4104",
"CVE-2022-23302",
"CVE-2022-23305",
"CVE-2022-23307"
);
script_xref(name:"IAVA", value:"2021-A-0573");
script_name(english:"Debian DLA-2905-1 : apache-log4j1.2 - LTS security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-2905 advisory.
- JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write
access to the Log4j configuration. The attacker can provide TopicBindingName and
TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result
in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2
when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of
life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the
previous versions. (CVE-2021-4104)
- JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker
has write access to the Log4j configuration or if the configuration references an LDAP service the
attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing
JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to
CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which
is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2
as it addresses numerous other issues from the previous versions. (CVE-2022-23302)
- By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the
values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be
included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or
headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue
only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.
Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized
SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of
life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the
previous versions. (CVE-2022-23305)
- CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw
V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. (CVE-2022-23307)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004482");
# https://security-tracker.debian.org/tracker/source-package/apache-log4j1.2
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0db5f187");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2022/dla-2905");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-4104");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23302");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23305");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23307");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/stretch/apache-log4j1.2");
script_set_attribute(attribute:"solution", value:
"Upgrade the apache-log4j1.2 packages.
For Debian 9 stretch, these problems have been fixed in version 1.2.17-7+deb9u2.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-23307");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-23305");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/14");
script_set_attribute(attribute:"patch_publication_date", value:"2022/01/31");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/01/31");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblog4j1.2-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:liblog4j1.2-java-doc");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('audit.inc');
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var release = get_kb_item('Host/Debian/release');
if ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');
var release = chomp(release);
if (! preg(pattern:"^(9)\.[0-9]+", string:release)) audit(AUDIT_OS_NOT, 'Debian 9.0', 'Debian ' + release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '9.0', 'prefix': 'liblog4j1.2-java', 'reference': '1.2.17-7+deb9u2'},
{'release': '9.0', 'prefix': 'liblog4j1.2-java-doc', 'reference': '1.2.17-7+deb9u2'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (release && prefix && reference) {
if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'liblog4j1.2-java / liblog4j1.2-java-doc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | liblog4j1.2-java | p-cpe:/a:debian:debian_linux:liblog4j1.2-java |
debian | debian_linux | liblog4j1.2-java-doc | p-cpe:/a:debian:debian_linux:liblog4j1.2-java-doc |
debian | debian_linux | 9.0 | cpe:/o:debian:debian_linux:9.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23307
www.nessus.org/u?0db5f187
bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004482
packages.debian.org/source/stretch/apache-log4j1.2
security-tracker.debian.org/tracker/CVE-2021-4104
security-tracker.debian.org/tracker/CVE-2022-23302
security-tracker.debian.org/tracker/CVE-2022-23305
security-tracker.debian.org/tracker/CVE-2022-23307
www.debian.org/lts/security/2022/dla-2905
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.976 High
EPSS
Percentile
100.0%