Skip to main content
Common Reference

Log4j 1.x Security Vulnerabilties

Known Issue

Affecting versions up to 6.1.16 & 7.0.0.

Tungsten Versions up to 6.1.16 and 7.0.0 embed log4j-1.2.17.jar where the following issues are found:

  • CVE-2019-17571
  • CVE-2020-9488
  • CVE-2020-9493
  • CVE-2022-23302
  • CVE-2022-23307
  • CVE-2022-23305

With the following conditions:

  • The affected application must be using the vulnerable SocketServer class from Log4j 1.2 and must be configured to listen for logging data over the network. Additionally, deserialization gadgets must be present in the application's classpath for successful exploitation.
  • The affected application must be specifically configured to use the JMSSink component, which is not the default configuration in Log4j 1.x. The vulnerability is only present when JMSSink is enabled and configured.
  • The affected application must be using the Chainsaw component that was included as part of Log4j 1.2.x.
  • The affected application must be configured to read serialized log events in Chainsaw. This is a specific configuration that enables the vulnerability.
  • The affected application must be specifically configured to use the JDBCAppender in Log4j 1.2.x. This is not the default configuration, so only applications that have explicitly enabled this component are vulnerable.

Since later versions of log4j are not backwards compatible, we have created a “secured” version of this library, named log4j-1.2.17-secure.jar

The secure version is included in v6.1.18 onwards, with the exception of v7.0.0. v2 of log4j is included from v7.2.0 onwards

important

While this version of the library IS secure, Software Security Scanners will generally report it as a threat, as they don’t inspect the contents of the jar file.

Here are details on how we secured the library:

  • CVE-2019-17571: SocketServer and SocketAppender* classes removed
  • CVE-2022-23302: JMSSink and JMSAppender classes removed
  • CVE-2022-23307 and CVE-2020-9493 : org/apache/log4j/chainsaw/*.class removed
  • CVE-2022-23305: JDBCAppender class removed
  • CVE-2020-9488: SMTPAppender class removed