Apache Log4j Code Problem Vulnerability
Deserialization
Log4j is a Java based open source logging tool of the Apache Software Foundation. Log4j version 1.2 includes a SocketServer class. Without verification, this SocketServe class can easily accept serialized log events and deserialize them. When used in combination with the deserialization tool, this class can be used to remotely execute arbitrary code.
Google Guava Access Control Error Vulnerability
Incorrect permission granting for critical resources
Google Guava is a Java core library of Google, which includes graphic library, function type, I/O and string processing. There is an access control error vulnerability in Guava before 30.0. The vulnerability originates from a temporary directory creation vulnerability in Guava, which allows attackers accessing machines to potentially access files from Guava com. google. common. io. Files The data in the temporary directory created by createTempDir(). An attacker can use this vulnerability to access special directories.
Apache Log4j Trust Management Vulnerability
Improper certificate verification
Apache Log4j is a Java based open source logging tool of the Apache Foundation. There is a trust management vulnerability in Apache Log4j. The vulnerability originates from SmtpAppender's failure to verify whether the host name matches the SSL/TLS certificate of the SMTPS connection. An attacker can use this vulnerability to intercept the SMTPS connection and obtain log messages by implementing man in the middle attack.
Apache Log4j security vulnerability
When an attacker has write access to the Log4j configuration, the JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data. An attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations, causing JMSAppender to execute JNDI requests, thus executing remote code in a manner similar to CVE-2021-44228. Please note that this problem only affects Log4j 1.2 when JMSAppender is specifically configured (not the default setting). The lifecycle of Apache Log4j 1.2 ended in August 2015. Users should upgrade to Log4j 2 because it solves many other problems in previous versions.
Apache Log4j SQL injection vulnerability
SQL injection
According to the design, the JDBC Appender in Log4j 1.2. x accepts SQL statements as configuration parameters, where the value to be inserted is the converter from PatternLayout. Message converter% m may always be included. This allows attackers to manipulate SQL by entering specially crafted strings into the input fields or headers of the recorded application, allowing unexpected SQL queries to be executed. Please note that this problem will affect Log4j 1. x only when it is specifically configured to use JDBC Appender (not the default setting). Starting from version 2.0-beta8, the JDBC Appender has been reintroduced to properly support parameterized SQL queries and further customize the columns written to the log. The lifecycle of Apache Log4j 1.2 ended in August 2015. Users should upgrade to Log4j 2 because it solves many other problems in previous versions.
Apache Log4j Code Problem Vulnerability
Deserialization
CVE-2020-9493 found a deserialization problem in Apache Chainsaw. Prior to Chainsaw V2.0, Chainsaw was a component of Apache Log4j 1.2. x. The same problem existed.
Apache Log4j Code Problem Vulnerability
Deserialization
When an attacker has write access to the Log4j configuration or references the LDAP service that the attacker has access to, all JMSSinks in Log4j 1. x are vulnerable to deserialization of untrusted data. An attacker can provide a TopicConnectionFactoryBindingName configuration to enable JMSSink to execute JNDI requests, thus executing remote code in a manner similar to CVE-2021-4104. Please note that this problem only affects Log4j 1. x when it is specifically configured to use JMSSink (not the default setting). The lifecycle of Apache Log4j 1.2 ended in August 2015. Users should upgrade to Log4j 2 because it solves many other problems in previous versions.
Google Guava Code Problem Vulnerability
Unrestricted or regulated resource allocation
Google Guava is a Java core library of Google, which includes graphic library, function type, I/O and string processing. There is a code problem vulnerability in Google Guava 11.0 to 24.1.1 (excluding 24.1.1). The vulnerability originates from the improper design or implementation of the network system or product code development process.
No more
Loading failed, please refresh the page