Apache Log4j 1.x (EOL) allows DoS in Chainsaw and SocketAppender
CVE-2023-26464

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Log4j
Vendor: CVE Published:; 10 March 2023

What is CVE-2023-26464?

An improper deserialization of a specially crafted deeply nested hashmap or hashtable in the Chainsaw or SocketAppender components of Apache Log4j 1.x can lead to exhaustion of available memory in the Java Virtual Machine (JVM). This vulnerability arises when the components operate on JRE versions prior to 1.7, allowing attackers to craft logging entries that exploit this issue effectively. Affected systems are strongly advised to upgrade to Log4j 2.x, as the existing versions have reached the end of their support lifecycle.

Affected Version(s)

Apache Log4j 1.0.4 < 2

Apache Log4j 2

References

https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v...

vendor-advisory

https://security.netapp.com/advisory/ntap-20230505-0008/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2023
Vulnerability Reserved
Feb 23, 2023

Credit

Garrett Tucker of Red Hat