VIR Vulnerability Intelligence Relay

CVE-2022-23302

high
Published 2022-01-18 · Modified 2022-01-27
CVSS v3
8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v2
6.0
VIR risk
8.8

Description

Important: parfait:0.5 security update

Predictions

Exploit likelihood
92%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2022-0290.html

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2022:0290

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2022-23302.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/security-alerts/cpujul2022.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/security-alerts/cpujul2022.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/security-alerts/cpuapr2022.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/security-alerts/cpuapr2022.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://logging.apache.org/log4j/1.2/index.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://logging.apache.org/log4j/1.2/index.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-23302

OS impact
OSVersionStatusFixed in
debian debianbullseyefixed1.2.17-10+deb11u1
debian debianforkyfixed1.2.17-11
debian debiansidfixed1.2.17-11
debian debiantrixiefixed1.2.17-11
debian debianbookwormfixed1.2.17-11
suse slesaffected
rockylinux rocky8fixed

Package impact
EcosystemPackageVulnerableFixed
java Mavenlog4j:log4j<=1.2.17
java Mavenorg.zenframework.z8.dependencies.commons:log4j-1.2.17<=2.0

Application impact
VendorProductVersionsFixed
apache apachelog4j{"startIncluding":"1.0.1","endIncluding":"1.2.17"}
netappsnapmanager-
broadcombrocade_sannav-
qosreload4j{"endExcluding":"1.2.18.1"}1.2.18.1
oracleadvanced_supply_chain_planning12.1
oracleadvanced_supply_chain_planning12.2
oraclebusiness_intelligence5.9.0.0.0
oraclebusiness_intelligence12.2.1.3.0
oraclebusiness_intelligence12.2.1.4.0
oraclebusiness_process_management_suite12.2.1.3.0
oraclebusiness_process_management_suite12.2.1.4.0
oraclecommunications_eagle_ftp_table_base_retrieval4.5
oraclecommunications_instant_messaging_server10.0.1.5.0
oraclecommunications_messaging_server8.1
oraclecommunications_network_integrity7.3.6
oraclecommunications_offline_mediation_controller{"endExcluding":"12.0.0.4.4"}12.0.0.4.4
oraclecommunications_offline_mediation_controller12.0.0.5.0
oraclecommunications_unified_inventory_management7.4.1
oraclecommunications_unified_inventory_management7.4.2
oraclee-business_suite_cloud_manager_and_cloud_backup_module{"endExcluding":"2.2.1.1.1"}2.2.1.1.1
oraclee-business_suite_cloud_manager_and_cloud_backup_module2.2.1.1.1
oracleenterprise_manager_base_platform13.4.0.0
oracleenterprise_manager_base_platform13.5.0.0
oraclefinancial_services_revenue_management_and_billing_analytics2.7.0.0
oraclefinancial_services_revenue_management_and_billing_analytics2.7.0.1
oraclefinancial_services_revenue_management_and_billing_analytics2.8.0.0
oraclehealthcare_foundation8.1.0
oraclehyperion_data_relationship_management{"endExcluding":"11.2.8.0"}11.2.8.0
oraclehyperion_infrastructure_technology{"endExcluding":"11.2.8.0"}11.2.8.0
oracleidentity_management_suite12.2.1.3.0
oracleidentity_management_suite12.2.1.4.0
oracleidentity_manager_connector11.1.1.5.0
oraclejdeveloper12.2.1.3.0
oraclemiddleware_common_libraries_and_tools12.2.1.4.0
oraclemysql_enterprise_monitor{"endIncluding":"8.0.29"}
oracletuxedo12.2.2.0.0
oracleweblogic_server12.2.1.3.0
oracleweblogic_server12.2.1.4.0
oracleweblogic_server14.1.1.0.0
apache apachelog4j{"startIncluding":"1.0.1","endIncluding":"1.2.17"}
netappsnapmanager-
broadcombrocade_sannav-
qosreload4j{"endExcluding":"1.2.18.1"}1.2.18.1
oracleadvanced_supply_chain_planning12.1
oracleadvanced_supply_chain_planning12.2
oraclebusiness_intelligence5.9.0.0.0
oraclebusiness_intelligence12.2.1.3.0
oraclebusiness_intelligence12.2.1.4.0
oraclebusiness_process_management_suite12.2.1.3.0
oraclebusiness_process_management_suite12.2.1.4.0
oraclecommunications_eagle_ftp_table_base_retrieval4.5
oraclecommunications_instant_messaging_server10.0.1.5.0
oraclecommunications_messaging_server8.1
oraclecommunications_offline_mediation_controller{"endExcluding":"12.0.0.4.4"}12.0.0.4.4
oraclecommunications_offline_mediation_controller12.0.0.5.0
oraclecommunications_unified_inventory_management7.4.1
oraclee-business_suite_cloud_manager_and_cloud_backup_module{"endExcluding":"2.2.1.1.1"}2.2.1.1.1
oraclee-business_suite_cloud_manager_and_cloud_backup_module2.2.1.1.1
oracleenterprise_manager_base_platform13.4.0.0
oracleenterprise_manager_base_platform13.5.0.0
oraclefinancial_services_revenue_management_and_billing_analytics2.7.0.0
oraclefinancial_services_revenue_management_and_billing_analytics2.7.0.1
oraclefinancial_services_revenue_management_and_billing_analytics2.8.0.0
oraclehealthcare_foundation8.1.0
oraclehyperion_data_relationship_management{"endExcluding":"11.2.8.0"}11.2.8.0
oraclehyperion_infrastructure_technology{"endExcluding":"11.2.8.0"}11.2.8.0
oracleidentity_management_suite12.2.1.3.0
oracleidentity_management_suite12.2.1.4.0
oracleidentity_manager_connector11.1.1.5.0
oraclejdeveloper12.2.1.3.0
oraclemiddleware_common_libraries_and_tools12.2.1.4.0
oraclemysql_enterprise_monitor{"endIncluding":"8.0.29"}
oracletuxedo12.2.2.0.0
oracleweblogic_server12.2.1.3.0
oracleweblogic_server12.2.1.4.0
oracleweblogic_server14.1.1.0.0

References

CWEs

CWE-502

Verify integrity in audit chain (admin only). AS-IS.