On January 18, Apache released a security bulletin that disclosed Log4j deserialization vulnerability (CVE-2022-23307), which affected the Apache Log4j 1.x version, and the official support and maintenance is no longer carried out. There is a deserialization problem in Chainsaw, the log viewer in Log4j 1.2.x, which may cause arbitrary code execution. The vulnerability was previously named CVE-2020-9493, and the Apache Chainsaw 2.1.0 version has been released to fix it.
Chainsaw v2 is a supporting application for Log4j written by members of the Log4j development community. It is a GUI-based log viewer that can read log files in Log4j’s XMLLayout format. Log4j is not configured to use Chainsaw by default.
Apache Log4j is a Java-based logging utility. Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.
Vulnerability Detail
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Affected version
- Apache Log4j 1.x
- Apache Chainsaw < 2.1.0
Unaffected version
- Apache Log4j 2.x
- Apache Chainsaw 2.1.0
Solution
Apache has stopped maintaining Log4j 1.x in 2015. Please upgrade to Log4j 2 for security fixes. If the users are temporarily unable to perform the upgrade operation, the following measures can be used to temporarily mitigate the CVE-2022-23307 flaw:
-
Do not configure Chainsaw to read serialized log events. Other receivers can be used, such as XMLSocketReceiver
