CVE-2023-26464: 
Apache Log4j vulnerability analysis and mitigation

When using the Chainsaw or SocketAppender components with Log4j 1.x on Java Runtime Environment (JRE) versions less than 1.7, an attacker could potentially exploit a vulnerability involving specially-crafted deeply nested hashmaps or hashtables. This vulnerability was discovered and disclosed in February 2023, affecting Apache Log4j versions before 2.x. The issue has been assigned CVE-2023-26464 (CVE Mitre).

The vulnerability occurs when processing logging entries containing specially-crafted (deeply nested) hashmaps or hashtables, depending on which logging component is in use. The issue specifically affects the Chainsaw and SocketAppender components in Log4j 1.x when running on JRE versions prior to 1.7. The vulnerability has been assigned a CVSS score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

When successfully exploited, this vulnerability could lead to exhaustion of available memory in the virtual machine, resulting in a Denial of Service (DoS) condition when the malicious object is deserialized (CVE Mitre).

Since this vulnerability affects versions of Log4j 1.x, which is no longer supported, affected users are strongly recommended to upgrade to Log4j 2.x. This is the primary and most effective mitigation strategy (CVE Mitre).