// For flags

CVE-2022-23307

A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

CVE-2020-9493 identificó un problema de deserialización presente en Apache Chainsaw. Versiones anteriores a Chainsaw V2.0 Chainsaw era un componente de Apache Log4j versiones 1.2.x donde se presenta el mismo problema

A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.

*Credits: @kingkk
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-17 CVE Reserved
  • 2022-01-18 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-09-20 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-502: Deserialization of Untrusted Data
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Chainsaw
Search vendor "Apache" for product "Chainsaw"
< 2.1.0
Search vendor "Apache" for product "Chainsaw" and version " < 2.1.0"
-
Affected
Apache
Search vendor "Apache"
Log4j
Search vendor "Apache" for product "Log4j"
>= 1.2 < 2.0
Search vendor "Apache" for product "Log4j" and version " >= 1.2 < 2.0"
-
Affected
Qos
Search vendor "Qos"
Reload4j
Search vendor "Qos" for product "Reload4j"
< 1.2.18.1
Search vendor "Qos" for product "Reload4j" and version " < 1.2.18.1"
-
Affected
Oracle
Search vendor "Oracle"
Advanced Supply Chain Planning
Search vendor "Oracle" for product "Advanced Supply Chain Planning"
12.1
Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.1"
-
Affected
Oracle
Search vendor "Oracle"
Advanced Supply Chain Planning
Search vendor "Oracle" for product "Advanced Supply Chain Planning"
12.2
Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.2"
-
Affected
Oracle
Search vendor "Oracle"
Business Intelligence
Search vendor "Oracle" for product "Business Intelligence"
5.9.0.0.0
Search vendor "Oracle" for product "Business Intelligence" and version "5.9.0.0.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
Business Intelligence
Search vendor "Oracle" for product "Business Intelligence"
12.2.1.3.0
Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
Business Intelligence
Search vendor "Oracle" for product "Business Intelligence"
12.2.1.4.0
Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.2.1.3.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.2.1.4.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Eagle Ftp Table Base Retrieval
Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval"
4.5
Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval" and version "4.5"
-
Affected
Oracle
Search vendor "Oracle"
Communications Instant Messaging Server
Search vendor "Oracle" for product "Communications Instant Messaging Server"
10.0.1.5.0
Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Messaging Server
Search vendor "Oracle" for product "Communications Messaging Server"
8.1
Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1"
-
Affected
Oracle
Search vendor "Oracle"
Communications Network Integrity
Search vendor "Oracle" for product "Communications Network Integrity"
7.3.6
Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6"
-
Affected
Oracle
Search vendor "Oracle"
Communications Offline Mediation Controller
Search vendor "Oracle" for product "Communications Offline Mediation Controller"
< 12.0.0.4.4
Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version " < 12.0.0.4.4"
-
Affected
Oracle
Search vendor "Oracle"
Communications Offline Mediation Controller
Search vendor "Oracle" for product "Communications Offline Mediation Controller"
12.0.0.5.0
Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Unified Inventory Management
Search vendor "Oracle" for product "Communications Unified Inventory Management"
7.4.1
Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1"
-
Affected
Oracle
Search vendor "Oracle"
Communications Unified Inventory Management
Search vendor "Oracle" for product "Communications Unified Inventory Management"
7.4.2
Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.2"
-
Affected
Oracle
Search vendor "Oracle"
E-business Suite Cloud Manager And Cloud Backup Module
Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module"
< 2.2.1.1.1
Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version " < 2.2.1.1.1"
-
Affected
Oracle
Search vendor "Oracle"
E-business Suite Cloud Manager And Cloud Backup Module
Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module"
2.2.1.1.1
Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version "2.2.1.1.1"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Manager Base Platform
Search vendor "Oracle" for product "Enterprise Manager Base Platform"
13.4.0.0
Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.4.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Enterprise Manager Base Platform
Search vendor "Oracle" for product "Enterprise Manager Base Platform"
13.5.0.0
Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.5.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Revenue Management And Billing Analytics
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"
2.7.0.0
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Revenue Management And Billing Analytics
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"
2.7.0.1
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.1"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Revenue Management And Billing Analytics
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics"
2.8.0.0
Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.8.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Healthcare Foundation
Search vendor "Oracle" for product "Healthcare Foundation"
8.1.0
Search vendor "Oracle" for product "Healthcare Foundation" and version "8.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Hyperion Data Relationship Management
Search vendor "Oracle" for product "Hyperion Data Relationship Management"
< 11.2.8.0
Search vendor "Oracle" for product "Hyperion Data Relationship Management" and version " < 11.2.8.0"
-
Affected
Oracle
Search vendor "Oracle"
Hyperion Infrastructure Technology
Search vendor "Oracle" for product "Hyperion Infrastructure Technology"
< 11.2.8.0
Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version " < 11.2.8.0"
-
Affected
Oracle
Search vendor "Oracle"
Identity Management Suite
Search vendor "Oracle" for product "Identity Management Suite"
12.2.1.3.0
Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Identity Management Suite
Search vendor "Oracle" for product "Identity Management Suite"
12.2.1.4.0
Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Identity Manager Connector
Search vendor "Oracle" for product "Identity Manager Connector"
11.1.1.5.0
Search vendor "Oracle" for product "Identity Manager Connector" and version "11.1.1.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Jdeveloper
Search vendor "Oracle" for product "Jdeveloper"
12.2.1.3.0
Search vendor "Oracle" for product "Jdeveloper" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Middleware Common Libraries And Tools
Search vendor "Oracle" for product "Middleware Common Libraries And Tools"
12.2.1.4.0
Search vendor "Oracle" for product "Middleware Common Libraries And Tools" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Enterprise Monitor
Search vendor "Oracle" for product "Mysql Enterprise Monitor"
<= 8.0.29
Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.29"
-
Affected
Oracle
Search vendor "Oracle"
Retail Extract Transform And Load
Search vendor "Oracle" for product "Retail Extract Transform And Load"
13.2.5
Search vendor "Oracle" for product "Retail Extract Transform And Load" and version "13.2.5"
-
Affected
Oracle
Search vendor "Oracle"
Tuxedo
Search vendor "Oracle" for product "Tuxedo"
12.2.2.0.0
Search vendor "Oracle" for product "Tuxedo" and version "12.2.2.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
12.2.1.3.0
Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
12.2.1.4.0
Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Weblogic Server
Search vendor "Oracle" for product "Weblogic Server"
14.1.1.0.0
Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"
-
Affected