CVE-2023-31038

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-31038

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-31038.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-31038

Related

Published

2023-05-08T09:15:09Z

Modified

2024-10-16T02:12:57.456860Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

SQL injection in Log4cxx when using the ODBC appender to send log messages to a database. No fields sent to the database were properly escaped for SQL injection. This has been the case since at least version 0.9.0(released 2003-08-06)

Note that Log4cxx is a C++ framework, so only C++ applications are affected.

Before version 1.1.0, the ODBC appender was automatically part of Log4cxx if the library was found when compiling the library. As of version 1.1.0, this must be both explicitly enabled in order to be compiled in.

Three preconditions must be met for this vulnerability to be possible:

Log4cxx compiled with ODBC support(before version 1.1.0, this was auto-detected at compile time)
ODBCAppender enabled for logging messages to, generally done via a config file
User input is logged at some point. If your application does not have user input, it is unlikely to be affected.

Users are recommended to upgrade to version 1.1.0 which properly binds the parameters to the SQL statement, or migrate to the new DBAppender class which supports an ODBC connection in addition to other databases. Note that this fix does require a configuration file update, as the old configuration files will not configure properly. An example is shown below, and more information may be found in the Log4cxx documentation on the ODBCAppender.

Example of old configuration snippet:

... other params here ...

</appender>

The migrated configuration snippet with new ColumnMapping parameters:

<param name="ColumnMapping" value="message"/> ... other params here ...

</appender>

References

Affected packages

Debian:11 / log4cxx

Package

Name: log4cxx
Purl: pkg:deb/debian/log4cxx?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.11.0-2

0.11.0-3

0.12.1-1

0.12.1-2

0.12.1-3

0.12.1-4

0.13.0-1

0.13.0-2

1.*

1.0.0~~gitcbd23ff1-1~exp1

1.0.0~rc1-1

1.0.0-1

1.1.0-1~exp1

1.1.0-1

1.2.0-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / log4cxx

Package

Name: log4cxx
Purl: pkg:deb/debian/log4cxx?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.0-1

1.1.0-1~exp1

1.1.0-1

1.2.0-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / log4cxx

Package

Name: log4cxx
Purl: pkg:deb/debian/log4cxx?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.0-1

Affected versions

1.*

1.0.0-1

1.1.0-1~exp1

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/apache/logging-log4cxx

Affected ranges

Type: GIT
Repo: https://github.com/apache/logging-log4cxx
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fc1c3c64678b69be336eab7a84a3ae8e2bedce1a

Affected versions

rel/v0.*

rel/v0.11.0

rel/v0.12.0

rel/v0.13.0

rel/v1.*

rel/v1.0.0

Other

start@308070

v0_10_0

v0_10_0-rc1@630108

v0_10_0-rc2@630385

v0_10_0-rc3@642292

v0_10_0-rc4@642345

v0_10_0-rc5@642398

v0_10_0-rc6@642451

v0_10_0-rc7@642910

v0_10_0-rc8@1554779

v0_10_0-rc8@643170

v0_10_0@1554779

v0_10_0@643170

v0_10_0@644134

v0_9_4@308324

v0_9_5@308470

v0_9_6@308556

v0_9_7@308613

v0.*

v0.11.0

v0.11.0-RC2

v0.12.0-RC1

v0.12.0-RC2

v0.13.0-RC1

v1.*

v1.0.0-RC1

v1.1.0-RC1