CVE-2022-23307

A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

CVE-2020-9493 identificó un problema de deserialización presente en Apache Chainsaw. Versiones anteriores a Chainsaw V2.0 Chainsaw era un componente de Apache Log4j versiones 1.2.x donde se presenta el mismo problema

A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.

*Credits: @kingkk

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-17 CVE Reserved
2022-01-18 CVE Published
2024-08-03 CVE Updated
2024-09-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (6)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-02-24
https://www.oracle.com/security-alerts/cpujul2022.html	2023-02-24

URL	Date	SRC
https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh	2023-02-24
https://logging.apache.org/log4j/1.2/index.html	2023-02-24
https://access.redhat.com/security/cve/CVE-2022-23307	2024-08-26
https://bugzilla.redhat.com/show_bug.cgi?id=2041967	2024-08-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Chainsaw Search vendor "Apache" for product "Chainsaw"				< 2.1.0 Search vendor "Apache" for product "Chainsaw" and version " < 2.1.0"		-		Affected
Apache Search vendor "Apache"		Log4j Search vendor "Apache" for product "Log4j"				>= 1.2 < 2.0 Search vendor "Apache" for product "Log4j" and version " >= 1.2 < 2.0"		-		Affected
Qos Search vendor "Qos"		Reload4j Search vendor "Qos" for product "Reload4j"				< 1.2.18.1 Search vendor "Qos" for product "Reload4j" and version " < 1.2.18.1"		-		Affected
Oracle Search vendor "Oracle"		Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning"				12.1 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.1"		-		Affected
Oracle Search vendor "Oracle"		Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning"				12.2 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.2"		-		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				5.9.0.0.0 Search vendor "Oracle" for product "Business Intelligence" and version "5.9.0.0.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.3.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.4.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite"				12.2.1.3.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite"				12.2.1.4.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Eagle Ftp Table Base Retrieval Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval"				4.5 Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval" and version "4.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server"				10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server"				8.1 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity"				7.3.6 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6"		-		Affected
Oracle Search vendor "Oracle"		Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller"				< 12.0.0.4.4 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version " < 12.0.0.4.4"		-		Affected
Oracle Search vendor "Oracle"		Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller"				12.0.0.5.0 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.2 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.2"		-		Affected
Oracle Search vendor "Oracle"		E-business Suite Cloud Manager And Cloud Backup Module Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module"				< 2.2.1.1.1 Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version " < 2.2.1.1.1"		-		Affected
Oracle Search vendor "Oracle"		E-business Suite Cloud Manager And Cloud Backup Module Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module"				2.2.1.1.1 Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version "2.2.1.1.1"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform"				13.4.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.4.0.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform"				13.5.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.5.0.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"				2.7.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"				2.7.0.1 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"				2.8.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.8.0.0"		-		Affected
Oracle Search vendor "Oracle"		Healthcare Foundation Search vendor "Oracle" for product "Healthcare Foundation"				8.1.0 Search vendor "Oracle" for product "Healthcare Foundation" and version "8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Hyperion Data Relationship Management Search vendor "Oracle" for product "Hyperion Data Relationship Management"				< 11.2.8.0 Search vendor "Oracle" for product "Hyperion Data Relationship Management" and version " < 11.2.8.0"		-		Affected
Oracle Search vendor "Oracle"		Hyperion Infrastructure Technology Search vendor "Oracle" for product "Hyperion Infrastructure Technology"				< 11.2.8.0 Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version " < 11.2.8.0"		-		Affected
Oracle Search vendor "Oracle"		Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite"				12.2.1.3.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite"				12.2.1.4.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Identity Manager Connector Search vendor "Oracle" for product "Identity Manager Connector"				11.1.1.5.0 Search vendor "Oracle" for product "Identity Manager Connector" and version "11.1.1.5.0"		-		Affected
Oracle Search vendor "Oracle"		Jdeveloper Search vendor "Oracle" for product "Jdeveloper"				12.2.1.3.0 Search vendor "Oracle" for product "Jdeveloper" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Middleware Common Libraries And Tools Search vendor "Oracle" for product "Middleware Common Libraries And Tools"				12.2.1.4.0 Search vendor "Oracle" for product "Middleware Common Libraries And Tools" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor"				<= 8.0.29 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.29"		-		Affected
Oracle Search vendor "Oracle"		Retail Extract Transform And Load Search vendor "Oracle" for product "Retail Extract Transform And Load"				13.2.5 Search vendor "Oracle" for product "Retail Extract Transform And Load" and version "13.2.5"		-		Affected
Oracle Search vendor "Oracle"		Tuxedo Search vendor "Oracle" for product "Tuxedo"				12.2.2.0.0 Search vendor "Oracle" for product "Tuxedo" and version "12.2.2.0.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"		-		Affected