CVE-2022-23307 vulnerability in Apache and Other Products
Published on January 18, 2022
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Vulnerability Analysis
CVE-2022-23307 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2022-23307 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2022-23307
You can be notified by stack.watch whenever vulnerabilities like CVE-2022-23307 are published in these products:
What versions are vulnerable to CVE-2022-23307?
-
Apache Chainsaw
Fixed in Version 2.1.0
-
Apache Log4j
Version 1.2
Fixed in Version 2.0
-
Qos Reload4j
Fixed in Version 1.2.18.1
-
Oracle Weblogic Server
Version 12.2.1.3.0
-
Oracle Business Intelligence
Version 12.2.1.3.0
-
Oracle Business Process Management Suite
Version 12.2.1.3.0
-
Oracle Jdeveloper
Version 12.2.1.3.0
-
Oracle Identity Management Suite
Version 12.2.1.3.0
-
Oracle Business Intelligence
Version 12.2.1.4.0
-
Oracle Weblogic Server
Version 12.2.1.4.0
-
Oracle Weblogic Server
Version 14.1.1.0.0
-
Oracle Enterprise Manager Base Platform
Version 13.4.0.0
-
Oracle Communications Network Integrity
Version 7.3.6
-
Oracle Business Process Management Suite
Version 12.2.1.4.0
-
Oracle Advanced Supply Chain Planning
Version 12.2
-
Oracle Advanced Supply Chain Planning
Version 12.1
-
Oracle Communications Unified Inventory Management
Version 7.4.1
-
Oracle Enterprise Manager Base Platform
Version 13.5.0.0
-
Oracle Communications Messaging Server
Version 8.1
-
Oracle Business Intelligence
Version 5.9.0.0.0
-
Oracle Healthcare Foundation
Version 8.1.0
-
Oracle Communications Eagle Ftp Table Base Retrieval
Version 4.5
-
Oracle Retail Extract Transform Load
Version 13.2.5
-
Oracle Identity Manager Connector
Version 11.1.1.5.0
-
Oracle Communications Unified Inventory Management
Version 7.4.2
-
Oracle Communications Instant Messaging Server
Version 10.0.1.5.0
-
Oracle Middleware Common Libraries Tools
Version 12.2.1.4.0
-
Oracle Identity Management Suite
Version 12.2.1.4.0
-
Oracle Financial Services Revenue Management Billing Analytics
Version 2.7.0.0
-
Oracle Hyperion Data Relationship Management
Fixed in Version 11.2.8.0
-
Oracle Financial Services Revenue Management Billing Analytics
Version 2.8.0.0
-
Oracle Mysql Enterprise Monitor
Up to Version 8.0.29
-
Oracle Hyperion Infrastructure Technology
Fixed in Version 11.2.8.0
-
Oracle Tuxedo
Version 12.2.2.0.0
-
Oracle E Business Suite Cloud Manager Cloud Backup Module
Fixed in Version 2.2.1.1.1
-
Oracle E Business Suite Cloud Manager Cloud Backup Module
Version 2.2.1.1.1
-
Oracle Financial Services Revenue Management Billing Analytics
Version 2.7.0.1
-
Oracle Communications Offline Mediation Controller
Version 12.0.0.5.0
-
Oracle Communications Offline Mediation Controller
Fixed in Version 12.0.0.4.4