CVE-2022-23307
A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2020-9493 identificó un problema de deserialización presente en Apache Chainsaw. Versiones anteriores a Chainsaw V2.0 Chainsaw era un componente de Apache Log4j versiones 1.2.x donde se presenta el mismo problema
A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.
Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services. This erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service for on-premise or private cloud deployments, aligning with the standalone product release. Issues addressed include code execution, deserialization, and remote SQL injection vulnerabilities.
*Credits:
@kingkk
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-01-17 CVE Reserved
- 2022-01-18 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (6)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-02-24 | |
| https://www.oracle.com/security-alerts/cpujul2022.html | 2023-02-24 |
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh | 2023-02-24 | |
| https://logging.apache.org/log4j/1.2/index.html | 2023-02-24 | |
| https://access.redhat.com/security/cve/CVE-2022-23307 | 2024-08-26 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2041967 | 2024-08-26 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Chainsaw Search vendor "Apache" for product "Chainsaw" | < 2.1.0 Search vendor "Apache" for product "Chainsaw" and version " < 2.1.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Log4j Search vendor "Apache" for product "Log4j" | >= 1.2 < 2.0 Search vendor "Apache" for product "Log4j" and version " >= 1.2 < 2.0" | - |
Affected
| ||||||
| Qos Search vendor "Qos" | Reload4j Search vendor "Qos" for product "Reload4j" | < 1.2.18.1 Search vendor "Qos" for product "Reload4j" and version " < 1.2.18.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning" | 12.1 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Advanced Supply Chain Planning Search vendor "Oracle" for product "Advanced Supply Chain Planning" | 12.2 Search vendor "Oracle" for product "Advanced Supply Chain Planning" and version "12.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Intelligence Search vendor "Oracle" for product "Business Intelligence" | 5.9.0.0.0 Search vendor "Oracle" for product "Business Intelligence" and version "5.9.0.0.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Intelligence Search vendor "Oracle" for product "Business Intelligence" | 12.2.1.3.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Intelligence Search vendor "Oracle" for product "Business Intelligence" | 12.2.1.4.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.2.1.3.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.2.1.4.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Eagle Ftp Table Base Retrieval Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval" | 4.5 Search vendor "Oracle" for product "Communications Eagle Ftp Table Base Retrieval" and version "4.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server" | 10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server" | 8.1 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity" | 7.3.6 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | < 12.0.0.4.4 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version " < 12.0.0.4.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Offline Mediation Controller Search vendor "Oracle" for product "Communications Offline Mediation Controller" | 12.0.0.5.0 Search vendor "Oracle" for product "Communications Offline Mediation Controller" and version "12.0.0.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management" | 7.4.2 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | E-business Suite Cloud Manager And Cloud Backup Module Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" | < 2.2.1.1.1 Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version " < 2.2.1.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | E-business Suite Cloud Manager And Cloud Backup Module Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" | 2.2.1.1.1 Search vendor "Oracle" for product "E-business Suite Cloud Manager And Cloud Backup Module" and version "2.2.1.1.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform" | 13.4.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.4.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Enterprise Manager Base Platform Search vendor "Oracle" for product "Enterprise Manager Base Platform" | 13.5.0.0 Search vendor "Oracle" for product "Enterprise Manager Base Platform" and version "13.5.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.7.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.7.0.1 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.7.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Revenue Management And Billing Analytics Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" | 2.8.0.0 Search vendor "Oracle" for product "Financial Services Revenue Management And Billing Analytics" and version "2.8.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Healthcare Foundation Search vendor "Oracle" for product "Healthcare Foundation" | 8.1.0 Search vendor "Oracle" for product "Healthcare Foundation" and version "8.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hyperion Data Relationship Management Search vendor "Oracle" for product "Hyperion Data Relationship Management" | < 11.2.8.0 Search vendor "Oracle" for product "Hyperion Data Relationship Management" and version " < 11.2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hyperion Infrastructure Technology Search vendor "Oracle" for product "Hyperion Infrastructure Technology" | < 11.2.8.0 Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version " < 11.2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite" | 12.2.1.3.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Identity Management Suite Search vendor "Oracle" for product "Identity Management Suite" | 12.2.1.4.0 Search vendor "Oracle" for product "Identity Management Suite" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Identity Manager Connector Search vendor "Oracle" for product "Identity Manager Connector" | 11.1.1.5.0 Search vendor "Oracle" for product "Identity Manager Connector" and version "11.1.1.5.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdeveloper Search vendor "Oracle" for product "Jdeveloper" | 12.2.1.3.0 Search vendor "Oracle" for product "Jdeveloper" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Middleware Common Libraries And Tools Search vendor "Oracle" for product "Middleware Common Libraries And Tools" | 12.2.1.4.0 Search vendor "Oracle" for product "Middleware Common Libraries And Tools" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor" | <= 8.0.29 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.29" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Extract Transform And Load Search vendor "Oracle" for product "Retail Extract Transform And Load" | 13.2.5 Search vendor "Oracle" for product "Retail Extract Transform And Load" and version "13.2.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Tuxedo Search vendor "Oracle" for product "Tuxedo" | 12.2.2.0.0 Search vendor "Oracle" for product "Tuxedo" and version "12.2.2.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Weblogic Server Search vendor "Oracle" for product "Weblogic Server" | 14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0" | - |
Affected
| ||||||