Overview

File _patchinfo of Package patchinfo.22502

<patchinfo incident="22502">
  <issue tracker="bnc" id="1194844">VUL-0: CVE-2022-23307: log4j: Apache Log4j 1.x:  A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.</issue>
  <issue tracker="bnc" id="1194843">VUL-0: CVE-2022-23305: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender</issue>
  <issue tracker="bnc" id="1194842">VUL-0: CVE-2022-23302: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink</issue>
  <issue tracker="cve" id="2022-23305"/>
  <issue tracker="cve" id="2022-23307"/>
  <issue tracker="cve" id="2022-23302"/>
  <packager>david.anes</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for log4j</summary>
  <description>This update for log4j fixes the following issues:

- CVE-2022-23307: Fix deserialization issue by removing the chainsaw sub-package. (bsc#1194844)
- CVE-2022-23305: Fix SQL injection by removing src/main/java/org/apache/log4j/jdbc/JDBCAppender.java. (bsc#1194843)
- CVE-2022-23302: Fix remote code execution by removing src/main/java/org/apache/log4j/net/JMSSink.java. (bsc#1194842)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places