#IMPERO CONSOLE HACK UPDATE#
Mitel will update this advisory as the details become available. Mitel is investigating its products to determine which products may be affected by these vulnerabilities. These vulnerabilities require a more complex attack vector, resulting in lower severity of these vulnerabilities relative to the log4j 2.x JNDI exposure. Based on the available information, these vulnerabilities in Log4j 1.x may only be exploited if the vulnerable component is configured for use, and/or the attacker has sufficient privileges to start the service or change the configuration on the host.
#IMPERO CONSOLE HACK CODE#
In December 2021, the following vulnerabilities in the Apache Log4j 2.x Java logging library were disclosed:ĬVE-2021-44228: Apache Log4j 2.x JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints with potential for code execution.ĬVE-2021-45046: Apache Log4j 2.x Thread Context Message Pattern and Context Lookup Pattern is vulnerable to potential information leak and code execution.ĬVE-2021-45105: Apache Log4j 2.x is vulnerable to uncontrolled recursion from self-referential lookups, leading to denial-of-service conditions.ĬVE-2021-44832: Apache Log4j 2.x is vulnerable to code execution when configured to use JDBCAppender or the attacker has write access to the Log4j configuration.Ī description of these vulnerabilities can be found on the Apache Log4j 2.x Security Vulnerabilities page.Īdditionally, in December 2021 and January 2022, the following vulnerabilities in the Apache Log4j 1.x Java logging library were disclosed:ĬVE-2021-4104: Apache Log4j 1.x is vulnerable to deserialization of untrusted data when configured to use JMSAppender or the attacker has write access to the Log4j configuration with potential for remote code execution.ĬVE-2022-23302: Apache Log4j 1.x is vulnerable to deserialization of untrusted data when configured to use JMSSink to perform JNDI requests or when the attacker has write access to the Log4j configuration with potential for remote code execution.ĬVE-2022-23305: Apache Log4j 1.x when configured to use JDBCAppender is vulnerable to malicious crafted SQL strings allowing unintended SQL queries to be executed.ĬVE-2022-23307: Apache Log4j 1.x is vulnerable to deserialization of the contents of certain log entries when the chainsaw component is run with potential for code execution.Ī description of these vulnerabilities can be found on the Apache Log4j 1.2 Security Vulnerabilities page.