Vulnerability Name:

CVE-2022-23307 (CCN-217462)

Assigned:2022-01-18
Published:2022-01-18
Updated:2023-02-24
Summary:CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-502
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2022-23307

Source: XF
Type: UNKNOWN
apache-cve202223307-code-exec(217462)

Source: security@apache.org
Type: Mailing List, Vendor Advisory
security@apache.org

Source: CCN
Type: Apache Web site
Apache Chainsaw

Source: CCN
Type: Apache Web site
Apache log4j 1.2

Source: security@apache.org
Type: Vendor Advisory
security@apache.org

Source: CCN
Type: oss-sec Mailing List, Tue, 18 Jan 2022 14:42:56 +0000
CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution

Source: CCN
Type: IBM Security Bulletin 6550822 (Db2 Web Query for i)
Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6551856 (Netezza Analytics for NPS)
Log4j vulnerabilities affect IBM Netezza Analytics for NPS

Source: CCN
Type: IBM Security Bulletin 6554466 (Netezza Analytics)
Log4j vulnerabilities affect IBM Netezza Analytics

Source: CCN
Type: IBM Security Bulletin 6555376 (Cognos Command Center)
IBM Cognos Command Center is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6557000 (App Connect for Healthcare)
IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307)

Source: CCN
Type: IBM Security Bulletin 6557194 (Sterling Connect:Direct Web Services)
IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23307)

Source: CCN
Type: IBM Security Bulletin 6557248 (WebSphere Application Server)
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to arbitrary code execution and SQL injection due to Apache Log4j. (CVE-2022-23302, CVE-2022-23307, CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6563857 (Tivoli Netcool/OMNIbus)
Due to use of Apache Log4j, IBM Netcool/OMNIbus Probe DSL Factory Framework is vulnerable to arbitrary code execution (CVE-2022-23302, CVE-2022-23307) and SQL injection (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6565333 (WebSphere Extreme Scale)
IBM WebSphere eXtreme Scale is vulnerable to arbitrary code execution due to Apache Log4j v1.x (CVE-2022-23307)

Source: CCN
Type: IBM Security Bulletin 6568675 (Spectrum Discover)
IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses

Source: CCN
Type: IBM Security Bulletin 6568731 (App Connect Enterprise)
IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305)

Source: CCN
Type: IBM Security Bulletin 6571205 (Tivoli Netcool/Impact)
IBM Tivoli Netcool Impact is vulnerable to arbitrary code exection due to Apache Log4j (CVE-2022-23307)

Source: CCN
Type: IBM Security Bulletin 6584095 (Curam SPM)
Curam Social Program Management is vulnerable to arbitrary code execution and SQL injection issues due to Apache Log4j (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307)

Source: CCN
Type: IBM Security Bulletin 6585004 (CCA for MTM 4767 for Linux x64)
Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE 2021-4104, CVE 2022-23302, CVE 2022-23305, CVE 2022-23307)

Source: CCN
Type: IBM Security Bulletin 6590835 (Cloud Pak System)
Multiple vulnerabilities in Apache Log4j affect IBM Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6602545 (OpenPages with Watson)
IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23307).

Source: CCN
Type: IBM Security Bulletin 6605865 (Security Verify Information Queue)
Multiple vulnerabilities in IBM Security Verify Information Queue connect image (CVE-2020-9493, CVE-2022-23307)

Source: CCN
Type: IBM Security Bulletin 6606605 (Log Analysis)
Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics - Log Analysis

Source: CCN
Type: IBM Security Bulletin 6610084 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including remote code execution in Apache Log4j 1.x

Source: CCN
Type: IBM Security Bulletin 6829357 (InfoSphere Information Server)
IBM InfoSphere Information Server may be affected by vulnerabilities in Apache log4j 1.x version

Source: CCN
Type: IBM Security Bulletin 6830971 (Sterling Order Management)
IBM Sterling Order Management migration strategy to Apache Log4j vulnerability (see CVEs below)

Source: CCN
Type: IBM Security Bulletin 6830973 (Sterling Order Management)
IBM Sterling Order Management migration strategy to Apache Log4j vulnerability [CVE-2022-23307]

Source: CCN
Type: IBM Security Bulletin 6848225 (Netcool Operations Insight)
Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6966636 (Cloud Pak for Data System)
IBM Cloud Pak for Data System (CPDS) is vulnerable to arbitrary code execution due to Apache Log4j [CVE-2022-23307]

Source: CCN
Type: IBM Security Bulletin 6970111 (Cloud Pak for Data System)
IBM Cloud Pak for Data System (CPDS) is vulnerable to arbitrary code execution due to Apache Log4j [CVE-2022-23307]

Source: security@apache.org
Type: Patch, Third Party Advisory
security@apache.org

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: security@apache.org
Type: Patch, Third Party Advisory
security@apache.org

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*
    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*
    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*
    • Configuration RedHat 8:
  • cpe:/o:redhat:rhel_els:6:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:chainsaw:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:log4j:1.2:-:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:21.0.0.12:*:*:*:liberty:*:*:*
  • OR cpe:/a:ibm:security_verify_information_queue:10.0.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8038
    P
    		log4j12-javadoc-1.2.17-4.9.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7714
    P
    		log4j12-1.2.17-4.9.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3121
    P
    		krb5-appl-clients-1.0.3-1.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3407
    P
    		xorg-x11-libs-7.6-45.14 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94751
    P
    		log4j12-1.2.17-4.9.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95037
    P
    		log4j12-javadoc-1.2.17-4.9.1 on GA media (Moderate)
    2022-06-22
    oval:com.redhat.rhsa:def:20220442
    P
    		RHSA-2022:0442: log4j security update (Important)
    2022-02-07
    oval:org.opensuse.security:def:119100
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:94457
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:922
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:93822
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:100743
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:119240
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:1184
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:118745
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:94036
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:101614
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:119430
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:100071
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:118935
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:94248
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:101845
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:119615
    P
    		Security update for log4j12 (Important)
    2022-01-28
    oval:org.opensuse.security:def:100409
    P
    		 (Important)
    2022-01-28
    oval:org.opensuse.security:def:125736
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:6076
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:126902
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:127299
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:org.opensuse.security:def:5278
    P
    		Security update for log4j (Important)
    2022-01-27
    oval:com.redhat.rhsa:def:20220290
    P
    		RHSA-2022:0290: parfait:0.5 security update (Important)
    2022-01-26
    BACK
    apache chainsaw 2.0.0
    apache log4j 1.2 -
    ibm websphere application server 7.0
    ibm websphere application server 8.0
    ibm websphere application server 8.5
    ibm tivoli netcool/impact 7.1.0
    ibm tivoli netcool/omnibus 8.1.0
    ibm websphere application server 9.0
    ibm websphere extreme scale 8.6.1.0
    ibm infosphere information server 11.7
    ibm app connect 11.0.0.0
    ibm cognos command center 10.2.4.1
    ibm cloud pak system 2.3
    ibm cloud pak system 2.3.0.1
    ibm websphere application server 17.0.0.3
    ibm cloud pak system 2.3.1.1
    ibm cloud pak system 2.3.2.0
    ibm cloud pak system 2.3.3.1
    ibm cloud pak system 2.3.3.2
    ibm cloud pak system 2.3.3.3
    ibm app connect enterprise 12.0.1.0
    ibm integration bus 10.0.0.6
    ibm websphere application server 21.0.0.12
    ibm security verify information queue 10.0.2