apache chainsaw CVE-2022-23307 vulnerability in Apache and Other Products
Published on January 18, 2022

A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.

product logo product logo product logo product logo
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

NVD

Vulnerability Analysis

CVE-2022-23307 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2022-23307 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Products Associated with CVE-2022-23307

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-23307 are published in these products:

Apache Chainsaw
 
Apache Log4j
 
Qos Reload4j
 
Oracle Weblogic Server
 
Oracle Business Intelligence
 
Oracle Business Process Management Suite
 
Oracle Jdeveloper
 
Oracle Identity Management Suite
 
Oracle Enterprise Manager Base Platform
 
Oracle Communications Network Integrity
 
Oracle Advanced Supply Chain Planning
 
Oracle Communications Eagle Ftp Table Base Retrieval
 
Oracle Communications Messaging Server
 
Oracle Communications Unified Inventory Management
 
Oracle E Business Suite Cloud Manager Cloud Backup Module
 
Oracle Financial Services Revenue Management Billing Analytics
 
Oracle Healthcare Foundation
 
Oracle Hyperion Data Relationship Management
 
Oracle Hyperion Infrastructure Technology
 
Oracle Identity Manager Connector
 
Oracle Middleware Common Libraries Tools
 
Oracle Mysql Enterprise Monitor
 
Oracle Tuxedo
 
Oracle Retail Extract Transform Load
 
Oracle Communications Instant Messaging Server
 
Oracle Communications Offline Mediation Controller
 
Canonical Ubuntu Linux
 
Oracle
 

Affected Versions

Apache Software Foundation Apache Log4j 1.x:

Exploit Probability

EPSS
2.60%
Percentile
85.87%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.