Fluid Attacks Database

Description

Deserialization of Untrusted Data in Apache Log4j CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Users are advised to migrate from log4j:log4j to org.apache.logging.log4j:log4j for an updated version of the library.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	apache-log4j1.2	>=0 <1.2.17-11	1.2.17-11
maven	org.apache.logging.log4j:log4j	>=1.2 <2.0	2.0
maven	log4j:log4j	>=0 <=1.2.17	-
maven	org.zenframework.z8.dependencies.commons:log4j-1.2.17	>=0 <=2.0	-
debian 11	apache-log4j1.2	=1.2.17-10 \|\| >=0 <1.2.17-10+deb11u1	1.2.17-10+deb11u1
maven	org.webjars.npm:chainsaw	<0	-
debian 13	apache-log4j1.2	>=0 <1.2.17-11	1.2.17-11
debian 14	apache-log4j1.2	>=0 <1.2.17-11	1.2.17-11
rpm rhel7	log4j	<0:1.2.17-18.el7_4	0:1.2.17-18.el7_4
rpm rhel8.4	parfait	<0:0.5.4-4.module+el8.4.0+13998+1b70e2b7	0:0.5.4-4.module+el8.4.0+13998+1b70e2b7

1-10 of 13

Aliases

1. CVE-2022-233072. NVD-2022-233073. OSV-DEBIAN-2022-233074. OSV-2022-233075. GCVE-2022-233076. SECURITY-TRACKER-CVE-2022-23307

References

1. https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh2. https://logging.apache.org/log4j/1.2/index.html3. https://www.oracle.com/security-alerts/cpuapr2022.html4. https://www.oracle.com/security-alerts/cpujul2022.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.