Bug 2041967 (CVE-2022-23307) - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer
Summary: CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-23307
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2042923 2042924 2042925 2042926 2042927 2042928 2042929 2042930 2042931 2048761 2042072 2042073 2042074 2042075 2042076 2042077 2042078 2042079 2042080 2042081 2042082 2042083 2042084 2042085 2042086 2042087 2042088 2042089 2042090 2042091 2042092 2042093 2042094 2042095 2042096 2042097 2042098 2042100 2042252 2042253 2042344 2042712 2048760
Blocks: 2041943
TreeView+ depends on / blocked
 
Reported: 2022-01-18 16:02 UTC by Michael Kaplan
Modified: 2022-04-19 19:21 UTC (History)
130 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.
Clone Of:
Environment:
Last Closed: 2022-01-26 15:32:40 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:0680 0 None None None 2022-02-24 21:15:48 UTC
Red Hat Product Errata RHBA-2022:0802 0 None None None 2022-03-09 14:10:50 UTC
Red Hat Product Errata RHSA-2022:0289 0 None None None 2022-01-26 14:52:50 UTC
Red Hat Product Errata RHSA-2022:0290 0 None None None 2022-01-26 14:50:29 UTC
Red Hat Product Errata RHSA-2022:0291 0 None None None 2022-01-26 14:51:43 UTC
Red Hat Product Errata RHSA-2022:0294 0 None None None 2022-01-26 14:46:47 UTC
Red Hat Product Errata RHSA-2022:0430 0 None None None 2022-02-03 14:05:09 UTC
Red Hat Product Errata RHSA-2022:0435 0 None None None 2022-02-03 18:24:45 UTC
Red Hat Product Errata RHSA-2022:0436 0 None None None 2022-02-03 18:31:13 UTC
Red Hat Product Errata RHSA-2022:0437 0 None None None 2022-02-03 18:44:57 UTC
Red Hat Product Errata RHSA-2022:0438 0 None None None 2022-02-03 18:50:11 UTC
Red Hat Product Errata RHSA-2022:0439 0 None None None 2022-02-03 19:07:12 UTC
Red Hat Product Errata RHSA-2022:0442 0 None None None 2022-02-07 10:44:19 UTC
Red Hat Product Errata RHSA-2022:0444 0 None None None 2022-02-07 13:42:21 UTC
Red Hat Product Errata RHSA-2022:0445 0 None None None 2022-02-07 14:24:02 UTC
Red Hat Product Errata RHSA-2022:0446 0 None None None 2022-02-07 13:44:21 UTC
Red Hat Product Errata RHSA-2022:0447 0 None None None 2022-02-07 13:54:35 UTC
Red Hat Product Errata RHSA-2022:0448 0 None None None 2022-02-07 13:53:07 UTC
Red Hat Product Errata RHSA-2022:0449 0 None None None 2022-02-07 13:49:12 UTC
Red Hat Product Errata RHSA-2022:0450 0 None None None 2022-02-07 14:48:31 UTC
Red Hat Product Errata RHSA-2022:0467 0 None None None 2022-02-08 12:53:11 UTC
Red Hat Product Errata RHSA-2022:0469 0 None None None 2022-02-08 13:57:23 UTC
Red Hat Product Errata RHSA-2022:0475 0 None None None 2022-02-08 16:57:36 UTC
Red Hat Product Errata RHSA-2022:0497 0 None None None 2022-02-09 13:11:43 UTC
Red Hat Product Errata RHSA-2022:0507 0 None None None 2022-02-10 17:27:07 UTC
Red Hat Product Errata RHSA-2022:0524 0 None None None 2022-02-14 17:07:29 UTC
Red Hat Product Errata RHSA-2022:0527 0 None None None 2022-02-14 17:31:54 UTC
Red Hat Product Errata RHSA-2022:0553 0 None None None 2022-02-15 18:55:15 UTC
Red Hat Product Errata RHSA-2022:0661 0 None None None 2022-02-23 20:01:15 UTC
Red Hat Product Errata RHSA-2022:1296 0 None None None 2022-04-11 12:57:19 UTC
Red Hat Product Errata RHSA-2022:1297 0 None None None 2022-04-11 12:58:49 UTC
Red Hat Product Errata RHSA-2022:1299 0 None None None 2022-04-11 13:01:35 UTC

Description Michael Kaplan 2022-01-18 16:02:18 UTC
A deserialization flaw was found in Apache log4j 1.2.x. While reading serialized log events, they are improperly deserialized.

Note this is the same as CVE-2020-9493 which identified a deserialization issue in Apache Chainsaw. Prior to Chainsaw V2.0, Chainsaw was a component of Apache Log4j 1.2.x.

References:

https://www.openwall.com/lists/oss-security/2022/01/18/5

Comment 3 juneau 2022-01-18 18:07:31 UTC
Marking /services "notaffected" per previous analysis/remediation.

Comment 33 errata-xmlrpc 2022-01-26 14:46:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0294 https://access.redhat.com/errata/RHSA-2022:0294

Comment 34 errata-xmlrpc 2022-01-26 14:50:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0290 https://access.redhat.com/errata/RHSA-2022:0290

Comment 35 errata-xmlrpc 2022-01-26 14:51:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0291 https://access.redhat.com/errata/RHSA-2022:0291

Comment 36 errata-xmlrpc 2022-01-26 14:52:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0289 https://access.redhat.com/errata/RHSA-2022:0289

Comment 37 Product Security DevOps Team 2022-01-26 15:32:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23307

Comment 39 errata-xmlrpc 2022-02-03 14:05:03 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.9

Via RHSA-2022:0430 https://access.redhat.com/errata/RHSA-2022:0430

Comment 40 errata-xmlrpc 2022-02-03 18:24:38 UTC
This issue has been addressed in the following products:

  EAP 7.4 log4j async

Via RHSA-2022:0435 https://access.redhat.com/errata/RHSA-2022:0435

Comment 41 errata-xmlrpc 2022-02-03 18:31:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:0436 https://access.redhat.com/errata/RHSA-2022:0436

Comment 42 errata-xmlrpc 2022-02-03 18:44:50 UTC
This issue has been addressed in the following products:

  EAP 6.4 log4j async

Via RHSA-2022:0437 https://access.redhat.com/errata/RHSA-2022:0437

Comment 43 errata-xmlrpc 2022-02-03 18:50:06 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2022:0438 https://access.redhat.com/errata/RHSA-2022:0438

Comment 44 errata-xmlrpc 2022-02-03 19:07:04 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0439 https://access.redhat.com/errata/RHSA-2022:0439

Comment 45 errata-xmlrpc 2022-02-07 10:44:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support
  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:0442 https://access.redhat.com/errata/RHSA-2022:0442

Comment 46 errata-xmlrpc 2022-02-07 13:42:14 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0444 https://access.redhat.com/errata/RHSA-2022:0444

Comment 47 errata-xmlrpc 2022-02-07 13:44:13 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.10

Via RHSA-2022:0446 https://access.redhat.com/errata/RHSA-2022:0446

Comment 48 errata-xmlrpc 2022-02-07 13:49:05 UTC
This issue has been addressed in the following products:

  RHSSO 7.5.1

Via RHSA-2022:0449 https://access.redhat.com/errata/RHSA-2022:0449

Comment 49 errata-xmlrpc 2022-02-07 13:53:01 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:0448 https://access.redhat.com/errata/RHSA-2022:0448

Comment 50 errata-xmlrpc 2022-02-07 13:54:29 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:0447 https://access.redhat.com/errata/RHSA-2022:0447

Comment 51 errata-xmlrpc 2022-02-07 14:23:55 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0445 https://access.redhat.com/errata/RHSA-2022:0445

Comment 52 errata-xmlrpc 2022-02-07 14:48:24 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0450 https://access.redhat.com/errata/RHSA-2022:0450

Comment 53 errata-xmlrpc 2022-02-08 12:53:05 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Streams 1.6.7

Via RHSA-2022:0467 https://access.redhat.com/errata/RHSA-2022:0467

Comment 54 errata-xmlrpc 2022-02-08 13:57:14 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.0.1

Via RHSA-2022:0469 https://access.redhat.com/errata/RHSA-2022:0469

Comment 55 errata-xmlrpc 2022-02-08 16:57:30 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:0475 https://access.redhat.com/errata/RHSA-2022:0475

Comment 56 errata-xmlrpc 2022-02-09 13:11:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP1

Via RHSA-2022:0497 https://access.redhat.com/errata/RHSA-2022:0497

Comment 57 errata-xmlrpc 2022-02-10 17:27:02 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8.SP2

Via RHSA-2022:0507 https://access.redhat.com/errata/RHSA-2022:0507

Comment 58 errata-xmlrpc 2022-02-14 17:07:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2022:0524 https://access.redhat.com/errata/RHSA-2022:0524

Comment 59 errata-xmlrpc 2022-02-14 17:31:47 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2022:0527 https://access.redhat.com/errata/RHSA-2022:0527

Comment 60 errata-xmlrpc 2022-02-15 18:55:08 UTC
This issue has been addressed in the following products:

  Red Hat Fuse/AMQ 6.3.20

Via RHSA-2022:0553 https://access.redhat.com/errata/RHSA-2022:0553

Comment 61 errata-xmlrpc 2022-02-23 20:01:09 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.10.1

Via RHSA-2022:0661 https://access.redhat.com/errata/RHSA-2022:0661

Comment 62 errata-xmlrpc 2022-04-11 12:57:14 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:1296 https://access.redhat.com/errata/RHSA-2022:1296

Comment 63 errata-xmlrpc 2022-04-11 12:58:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:1297 https://access.redhat.com/errata/RHSA-2022:1297

Comment 64 errata-xmlrpc 2022-04-11 13:01:27 UTC
This issue has been addressed in the following products:

  EAP 7.4.4 release

Via RHSA-2022:1299 https://access.redhat.com/errata/RHSA-2022:1299


Note You need to log in before you can comment on or make changes to this bug.