9

CVE-2022-23307

A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheChainsaw Version < 2.1.0
ApacheLog4j Version >= 1.2 < 2.0
QosReload4j Version < 1.2.18.1
OracleBusiness Intelligence Version5.9.0.0.0 SwEditionenterprise
OracleBusiness Intelligence Version12.2.1.3.0 SwEditionenterprise
OracleBusiness Intelligence Version12.2.1.4.0 SwEditionenterprise
OracleHealthcare Foundation Version8.1.0
OracleIdentity Management Suite Version12.2.1.3.0
OracleIdentity Management Suite Version12.2.1.4.0
OracleIdentity Manager Connector Version11.1.1.5.0
OracleJdeveloper Version12.2.1.3.0
OracleMysql Enterprise Monitor Version <= 8.0.29
OracleTuxedo Version12.2.2.0.0
OracleWeblogic Server Version12.2.1.3.0
OracleWeblogic Server Version12.2.1.4.0
OracleWeblogic Server Version14.1.1.0.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 52.46% 0.988
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 9 8 10
AV:N/AC:L/Au:S/C:C/I:C/A:C
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory
https://logging.apache.org/log4j/1.2/index.html
Vendor Advisory
https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh
Vendor Advisory
Mailing List