CVE-2023-26464

Overview

When using the Chainsaw or SocketAppender components with Log4j 1. Learn what's affected and how the issue is already fixed in NES for Apache Log4j.

Details

Module Info

• Product: Log4j
• Affected packages: log4j
• Affected versions: >=1.2 <= 1.2.17
• GitHub repository: https://github.com/apache/logging-log4j1
• Published packages: https://central.sonatype.com/artifact/log4j/log4j
• Package manager: Maven
• Fixed In: NES for Apache Log4j 1.2.18

‍

Vulnerability Info

In affected versions of Apache Log4j 1.x running on Java versions earlier than 1.7, the Chainsaw and SocketAppender logging components could be triggered to process a specially crafted logging event containing deeply nested map structures. When deserializing such content, this could consume excessive memory in the Java Virtual Machine, potentially exhausting available memory and causing a Denial of Service (DoS). This issue only affects unsupported products and has been resolved in Log4j 2.x — users are advised to upgrade to a supported release.

‍

Mitigation

• Avoid using the Chainsaw or SocketAppender components in untrusted or externally accessible environments.
• Restrict network access to any services exposing Log4j SocketAppender or Chainsaw ports.
• Ensure that only trusted sources can send serialized logging events.
• Apply JVM memory limits to reduce impact in the event of memory exhaustion.
• Configure thelog4j.chainsaw.maxSerializedBytessystem property to limit the maximum size of accepted serialized input.