CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
There is no non-vulnerable upgrade path for for `log4j:log4j` 1.x. We recommend upgrading to `log4j` 2.x and Apache Chainsaw 2.1.0. Alternatively, do not configure Chainsaw to read serialized log events. Use a different receiver, such as `XMLSocketReceiver`.
[https://www.mail-archive.com/[email protected]/msg07042.html](https://www.mail-archive.com/[email protected]/msg07042.html)
This vulnerability has been fixed in version `1.3.0.Final` of `org.jboss.logmanager:log4j-jboss-logmanager` by removing Apache Chainsaw from the project.