Skip to main content

CVE-2022-23307

Severity

9.8

Description

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Mitigation

There is no non-vulnerable upgrade path for for `log4j:log4j` 1.x. We recommend upgrading to `log4j` 2.x and Apache Chainsaw 2.1.0. Alternatively, do not configure Chainsaw to read serialized log events. Use a different receiver, such as `XMLSocketReceiver`.

Reference:
[https://www.mail-archive.com/[email protected]/msg07042.html](https://www.mail-archive.com/[email protected]/msg07042.html)
[https://lists.apache.org/thread/rx0hpjow5csq05r93cyvntj9ry19tm9y](https://lists.apache.org/thread/rx0hpjow5csq05r93cyvntj9ry19tm9y)

This vulnerability has been fixed in version `1.3.0.Final` of `org.jboss.logmanager:log4j-jboss-logmanager` by removing Apache Chainsaw from the project.

Related links:

Project

Apache ActiveMQ

Category
CWE-502 Deserialization of Untrusted Data
Tags
data
Date Disclosed

2022-01-18

Date Discovered

2022-01-17

Apache ActiveMQ 5.16.x

First release:
2020-06-25
CVEs:
15
Support Lifecycle:
Namespace:
javax
5.16.05.16.15.16.25.16.3

Apache ActiveMQ 5.14.x

First release:
2016-08-02
CVEs:
24
Support Lifecycle:
Namespace:
javax
5.14.05.14.15.14.25.14.35.14.45.14.5

Apache ActiveMQ 5.13.x

First release:
2015-11-30
CVEs:
23
Support Lifecycle:
Namespace:
javax
5.13.05.13.15.13.25.13.35.13.45.13.5
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.