CVE-2022-23305: 
Java vulnerability analysis and mitigation

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. This vulnerability only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default configuration (Apache Log4j).

The vulnerability is tracked as CVE-2022-23305 and has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from the JDBCAppender component accepting SQL statements as configuration parameters, where values are inserted using converters from PatternLayout. The message converter (%m) inclusion allows for SQL manipulation through crafted input strings (NVD Database).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability allows attackers to manipulate SQL queries through logged input, potentially leading to unauthorized database access and modifications (NetApp Advisory).

Users should upgrade to Log4j 2 as it addresses this and numerous other issues from previous versions. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to logs. Apache Log4j 1.2 reached end of life in August 2015. If immediate upgrade is not possible, removing usage of the JDBCAppender from configurations can serve as a temporary mitigation (Apache Log4j).