CVE-2022-23305

critical

Published 2022-01-18 · Modified 2022-01-27

CVSS v3

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

6.8

VIR risk

9.8

Description

Important: parfait:0.5 security update

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2022-0290.html

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2022:0290

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2022-23305.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/security-alerts/cpujul2022.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/security-alerts/cpujul2022.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/security-alerts/cpuapr2022.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/security-alerts/cpuapr2022.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://logging.apache.org/log4j/1.2/index.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://logging.apache.org/log4j/1.2/index.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-23305

OS impact

OS	Version	Status	Fixed in
debian	bullseye	fixed	`1.2.17-10+deb11u1`
debian	forky	fixed	`1.2.17-11`
debian	sid	fixed	`1.2.17-11`
debian	trixie	fixed	`1.2.17-11`
debian	bookworm	fixed	`1.2.17-11`
sles		affected
rocky	8	fixed

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	log4j:log4j	`<=1.2.17`
Maven	org.zenframework.z8.dependencies.commons:log4j-1.2.17	`<=2.0`

Application impact

Vendor	Product	Versions	Fixed
apache	log4j	`{"startIncluding":"1.2","endIncluding":"1.2.17"}`
netapp	snapmanager	`-`
broadcom	brocade_sannav	`-`
qos	reload4j	`{"endExcluding":"1.2.18.2"}`	`1.2.18.2`
oracle	advanced_supply_chain_planning	`12.1`
oracle	advanced_supply_chain_planning	`12.2`
oracle	business_intelligence	`5.9.0.0.0`
oracle	business_intelligence	`12.2.1.3.0`
oracle	business_intelligence	`12.2.1.4.0`
oracle	business_process_management_suite	`12.2.1.3.0`
oracle	business_process_management_suite	`12.2.1.4.0`
oracle	communications_eagle_ftp_table_base_retrieval	`4.5`
oracle	communications_instant_messaging_server	`10.0.1.5.0`
oracle	communications_messaging_server	`8.1`
oracle	communications_network_integrity	`7.3.6`
apache	log4j	`{"startIncluding":"1.2","endIncluding":"1.2.17"}`
netapp	snapmanager	`-`
broadcom	brocade_sannav	`-`
qos	reload4j	`{"endExcluding":"1.2.18.2"}`	`1.2.18.2`
oracle	advanced_supply_chain_planning	`12.1`
oracle	advanced_supply_chain_planning	`12.2`
oracle	business_intelligence	`5.9.0.0.0`
oracle	business_intelligence	`12.2.1.3.0`
oracle	business_intelligence	`12.2.1.4.0`
oracle	business_process_management_suite	`12.2.1.3.0`
oracle	business_process_management_suite	`12.2.1.4.0`
oracle	communications_eagle_ftp_table_base_retrieval	`4.5`
oracle	communications_instant_messaging_server	`10.0.1.5.0`
oracle	communications_messaging_server	`8.1`
oracle	communications_network_integrity	`7.3.6`
oracle	communications_offline_mediation_controller	`{"endExcluding":"12.0.0.4.4"}`	`12.0.0.4.4`
oracle	communications_offline_mediation_controller	`12.0.0.5.0`
oracle	communications_unified_inventory_management	`7.4.1`
oracle	communications_unified_inventory_management	`7.4.2`
oracle	e-business_suite_cloud_manager_and_cloud_backup_module	`{"endExcluding":"2.2.1.1.1"}`	`2.2.1.1.1`
oracle	e-business_suite_cloud_manager_and_cloud_backup_module	`2.2.1.1.1`
oracle	e-business_suite_information_discovery	`{"startIncluding":"12.2.3","endIncluding":"12.2.11"}`
oracle	enterprise_manager_base_platform	`13.4.0.0`
oracle	enterprise_manager_base_platform	`13.5.0.0`
oracle	financial_services_revenue_management_and_billing_analytics	`2.7.0.0`
oracle	financial_services_revenue_management_and_billing_analytics	`2.7.0.1`
oracle	financial_services_revenue_management_and_billing_analytics	`2.8.0.0`
oracle	healthcare_foundation	`8.1.0`
oracle	hyperion_data_relationship_management	`{"endExcluding":"11.2.8.0"}`	`11.2.8.0`
oracle	hyperion_infrastructure_technology	`{"endExcluding":"11.2.8.0"}`	`11.2.8.0`
oracle	identity_management_suite	`12.2.1.3.0`
oracle	identity_management_suite	`12.2.1.4.0`
oracle	identity_manager_connector	`11.1.1.5.0`
oracle	jdeveloper	`12.2.1.3.0`
oracle	middleware_common_libraries_and_tools	`12.2.1.4.0`
oracle	mysql_enterprise_monitor	`{"endIncluding":"8.0.29"}`
oracle	retail_extract_transform_and_load	`13.2.5`
oracle	tuxedo	`12.2.2.0.0`
oracle	weblogic_server	`12.2.1.3.0`
oracle	weblogic_server	`12.2.1.4.0`
oracle	weblogic_server	`14.1.1.0.0`
oracle	communications_offline_mediation_controller	`{"endExcluding":"12.0.0.4.4"}`	`12.0.0.4.4`
oracle	communications_offline_mediation_controller	`12.0.0.5.0`
oracle	communications_unified_inventory_management	`7.4.1`
oracle	communications_unified_inventory_management	`7.4.2`
oracle	e-business_suite_cloud_manager_and_cloud_backup_module	`{"endExcluding":"2.2.1.1.1"}`	`2.2.1.1.1`
oracle	e-business_suite_cloud_manager_and_cloud_backup_module	`2.2.1.1.1`
oracle	e-business_suite_information_discovery	`{"startIncluding":"12.2.3","endIncluding":"12.2.11"}`
oracle	enterprise_manager_base_platform	`13.4.0.0`
oracle	enterprise_manager_base_platform	`13.5.0.0`
oracle	financial_services_revenue_management_and_billing_analytics	`2.7.0.0`
oracle	financial_services_revenue_management_and_billing_analytics	`2.7.0.1`
oracle	financial_services_revenue_management_and_billing_analytics	`2.8.0.0`
oracle	healthcare_foundation	`8.1.0`
oracle	hyperion_data_relationship_management	`{"endExcluding":"11.2.8.0"}`	`11.2.8.0`
oracle	hyperion_infrastructure_technology	`{"endExcluding":"11.2.8.0"}`	`11.2.8.0`
oracle	identity_management_suite	`12.2.1.3.0`
oracle	identity_management_suite	`12.2.1.4.0`
oracle	identity_manager_connector	`11.1.1.5.0`
oracle	jdeveloper	`12.2.1.3.0`
oracle	middleware_common_libraries_and_tools	`12.2.1.4.0`
oracle	mysql_enterprise_monitor	`{"endIncluding":"8.0.29"}`
oracle	retail_extract_transform_and_load	`13.2.5`
oracle	tuxedo	`12.2.2.0.0`
oracle	weblogic_server	`12.2.1.3.0`
oracle	weblogic_server	`12.2.1.4.0`
oracle	weblogic_server	`14.1.1.0.0`

References

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.