CVE-2022-23307
Published on: 01/18/2022 12:00:00 AM UTC
Last Modified on: 02/24/2023 03:29:00 PM UTC
Certain versions of Chainsaw from Apache contain the following vulnerability:
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
- CVE-2022-23307 has been assigned by
secu[email protected] to track the vulnerability - currently rated as HIGH severity.
- Affected Vendor/Software:
Apache Software Foundation - Apache Log4j 1.x version >= 1.2.1
- Affected Vendor/Software:
Apache Software Foundation - Apache Log4j 1.x version <= 2.0-alpha1
Vulnerability Patch/Work Around
- Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0.
CVSS3 Score: 8.8 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | LOW | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 9 - HIGH
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | SINGLE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
COMPLETE | COMPLETE | COMPLETE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
No Description Provided | lists.apache.org text/html |
![]() |
Oracle Critical Patch Update Advisory - April 2022 | www.oracle.com text/html |
![]() |
Apache log4j 1.2 - | logging.apache.org text/html |
![]() |
Oracle Critical Patch Update Advisory - July 2022 | www.oracle.com text/html |
![]() |
Related QID Numbers
- 159603 Oracle Enterprise Linux Security Update for parfait:0.5 (ELSA-2022-0290)
- 159628 Oracle Enterprise Linux Security Update for log4j (ELSA-2022-0442)
- 159853 Oracle Enterprise Linux Security Update for log4j (ELSA-2022-9419)
- 179047 Debian Security Update for apache-log4j1.2 (DLA 2905-1)
- 179210 Debian Security Update for apache-log4j1.2 (CVE-2022-23307)
- 199275 Ubuntu Security Notification for Apache Log4j Vulnerabilities (USN-5998-1)
- 240034 Red Hat Update for parfait:0.5 (RHSA-2022:0289)
- 240035 Red Hat Update for parfait:0.5 (RHSA-2022:0290)
- 240036 Red Hat Update for parfait:0.5 (RHSA-2022:0291)
- 240059 Red Hat Update for JBoss Enterprise Application Platform 7.4 (RHSA-2022:0436)
- 240060 Red Hat Update for JBoss Enterprise Application Platform 6.4 (RHSA-2022:0438)
- 240062 Red Hat Update for rh-maven36-log4j12 (RHSA-2022:0439)
- 240067 Red Hat Update for log4j (RHSA-2022:0442)
- 240078 Red Hat Update for red hat jboss web server 3.1 service pack 14 (RHSA-2022:0524)
- 240209 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1296)
- 240210 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1297)
- 240452 Red Hat Update for parfait:0.5 (RHSA-2022:0294)
- 240508 Red Hat Update for JBoss Enterprise Application Platform 6.4.2 (RHSA-2022:5459)
- 240511 Red Hat Update for JBoss Enterprise Application Platform 6.4.2 (RHSA-2022:5460)
- 257151 CentOS Security Update for log4j (CESA-2022:0442)
- 353173 Amazon Linux Security Advisory for log4j : ALAS2-2022-1750
- 354858 Amazon Linux Security Advisory for log4j : ALAS-2023-1718
- 355080 Amazon Linux Security Advisory for log4j : AL2012-2023-404
- 376438 IBM WebSphere Application Server Arbitrary Code Execution Vulnerability (Log4Shell) (6557248)
- 376504 Apache Chainsaw Malicious Code Execution Vulnerability
- 376639 IBM Integration Bus and IBM App Connect Enterprise Apache Log4j Vulnerabilities (6568731)
- 377086 Alibaba Cloud Linux Security Update for log4j (ALINUX2-SA-2022:0010)
- 377147 Alibaba Cloud Linux Security Update for parfait:0.5 (ALINUX3-SA-2022:0006)
- 671400 EulerOS Security Update for log4j (EulerOS-SA-2022-1330)
- 671679 EulerOS Security Update for log4j (EulerOS-SA-2022-1744)
- 730542 Atlassian Confluence Server and Confluence Data Center Log4j Multiple Vulnerabilities (CONFSERVER-78991)
- 730566 Atlassian Jira Server and Data Center Log4j Vulnerability (JRASERVER-73885)
- 751667 SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2022:0212-1)
- 751669 SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2022:0214-1)
- 751670 OpenSUSE Security Update for log4j (openSUSE-SU-2022:0214-1)
- 751672 SUSE Enterprise Linux Security Update for log4j12 (SUSE-SU-2022:0226-1)
- 751673 OpenSUSE Security Update for log4j12 (openSUSE-SU-2022:0226-1)
- 753187 SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2022:14881-1)
- 940440 AlmaLinux Security Update for parfait:0.5 (ALSA-2022:0290)
- 960689 Rocky Linux Security Update for parfait:0.5 (RLSA-2022:0290)
Exploit/POC from Github
Check and report for cve_2022_23307 (log4shell) on your system.
Known Affected Configurations (CPE V2.3)
- cpe:2.3:a:apache:chainsaw:*:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*:
- cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*:
- cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*:
- cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*:
Discovery Credit
@kingkk
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2022-23307 : CVE-2020-9493 identified a deserialization issue that was present in #Apache Chainsaw. Prior to Ch… twitter.com/i/web/status/1… | 2022-01-18 15:38:23 |
![]() |
CVE-2022-23307 | 2022-01-18 16:38:40 |
![]() |
New Log4j 1.2x vulnerabilities | 2022-01-21 14:49:06 |