CVE-2022-23307
Published on: 01/18/2022 12:00:00 AM UTC
Last Modified on: 04/20/2022 12:16:00 AM UTC
Certain versions of Chainsaw from Apache contain the following vulnerability:
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
- CVE-2022-23307 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
- Affected Vendor/Software:
Apache Software Foundation - Apache Log4j 1.x version >= 1.2.1
- Affected Vendor/Software:
Apache Software Foundation - Apache Log4j 1.x version <= 2.0-alpha1
Vulnerability Patch/Work Around
- Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0.
CVSS3 Score: 8.8 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | LOW | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 9 - HIGH
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | SINGLE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
COMPLETE | COMPLETE | COMPLETE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
No Description Provided | lists.apache.org text/html |
![]() |
Oracle Critical Patch Update Advisory - April 2022 | www.oracle.com text/html |
![]() |
Apache log4j 1.2 - | logging.apache.org text/html |
![]() |
Related QID Numbers
- 159603 Oracle Enterprise Linux Security Update for parfait:0.5 (ELSA-2022-0290)
- 159628 Oracle Enterprise Linux Security Update for log4j (ELSA-2022-0442)
- 179047 Debian Security Update for apache-log4j1.2 (DLA 2905-1)
- 179210 Debian Security Update for apache-log4j1.2 (CVE-2022-23307)
- 240034 Red Hat Update for parfait:0.5 (RHSA-2022:0289)
- 240035 Red Hat Update for parfait:0.5 (RHSA-2022:0290)
- 240036 Red Hat Update for parfait:0.5 (RHSA-2022:0291)
- 240059 Red Hat Update for JBoss Enterprise Application Platform 7.4 (RHSA-2022:0436)
- 240060 Red Hat Update for JBoss Enterprise Application Platform 6.4 (RHSA-2022:0438)
- 240062 Red Hat Update for rh-maven36-log4j12 (RHSA-2022:0439)
- 240067 Red Hat Update for log4j (RHSA-2022:0442)
- 240078 Red Hat Update for red hat jboss web server 3.1 service pack 14 (RHSA-2022:0524)
- 240209 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1296)
- 240210 Red Hat Update for JBoss Enterprise Application Platform 7.4.4 (RHSA-2022:1297)
- 257151 CentOS Security Update for log4j (CESA-2022:0442)
- 353173 Amazon Linux Security Advisory for log4j : ALAS2-2022-1750
- 376438 IBM WebSphere Application Server Arbitrary Code Execution Vulnerability (Log4Shell) (6557248)
- 376504 Apache Chainsaw Malicious Code Execution Vulnerability
- 671400 EulerOS Security Update for log4j (EulerOS-SA-2022-1330)
- 751667 SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2022:0212-1)
- 751669 SUSE Enterprise Linux Security Update for log4j (SUSE-SU-2022:0214-1)
- 751670 OpenSUSE Security Update for log4j (openSUSE-SU-2022:0214-1)
- 751672 SUSE Enterprise Linux Security Update for log4j12 (SUSE-SU-2022:0226-1)
- 751673 OpenSUSE Security Update for log4j12 (openSUSE-SU-2022:0226-1)
- 940440 AlmaLinux Security Update for parfait:0.5 (ALSA-2022:0290)
Exploit/POC from Github
Check and report for cve_2022_23307 (log4shell) on your system.
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Apache | Chainsaw | All | All | All | All |
Application | Apache | Log4j | All | All | All | All |
Application | Qos | Reload4j | All | All | All | All |
- cpe:2.3:a:apache:chainsaw:*:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*:
- cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*:
Discovery Credit
@kingkk
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2022-23307 : CVE-2020-9493 identified a deserialization issue that was present in #Apache Chainsaw. Prior to Ch… twitter.com/i/web/status/1… | 2022-01-18 15:38:23 |
![]() |
CVE-2022-23307 | 2022-01-18 16:38:40 |
![]() |
New Log4j 1.2x vulnerabilities | 2022-01-21 14:49:06 |