Home > Vulnerability Database > CVE-2023-26464

Mend.io Vulnerability Database

CVE-2023-26464

Good to know:

Date: March 10, 2023

** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Language: Java

Severity Score

7.5

Related Resources (7)

Url: https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t

Url: https://security.netapp.com/advisory/ntap-20230505-0008

Url: https://access.redhat.com/security/cve/CVE-2023-26464

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26464

Url: https://security.netapp.com/advisory/ntap-20230505-0008/

Url: https://github.com/apache/logging-log4j2

Url: https://www.mend.io/vulnerability-database/CVE-2023-26464

Severity Score

7.5

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Top Fix

Upgrade Version

Upgrade to version org.apache.logging.log4j:log4j-core:2.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-26464

Good to know:

Date: March 10, 2023

Language: Java

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?