CVE-2022-23307 — HIGH (8.8)

Q: What is CVE-2022-23307?

CVE-2022-23307 is a vulnerability with a CVSS score of 8.8 (HIGH). CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Q: How severe is CVE-2022-23307?

CVE-2022-23307 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-23307?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Chainsaw, Apache Log4J, Qos Reload4J, Oracle Advanced Supply Chain Planning, Oracle Business Intelligence.

Vulnerability Description

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Chainsaw	< 2.1.0
Apache	Log4J	>= 1.2, < 2.0
Qos	Reload4J	< 1.2.18.1
Oracle	Advanced Supply Chain Planning	12.1
Oracle	Business Intelligence	5.9.0.0.0
Oracle	Business Process Management Suite	12.2.1.3.0
Oracle	Communications Eagle Ftp Table Base Retrieval	4.5
Oracle	Communications Instant Messaging Server	10.0.1.5.0
Oracle	Communications Messaging Server	8.1
Oracle	Communications Network Integrity	7.3.6
Oracle	Communications Offline Mediation Controller	< 12.0.0.4.4
Oracle	Communications Unified Inventory Management	7.4.1
Oracle	E-Business Suite Cloud Manager And Cloud Backup Module	< 2.2.1.1.1
Oracle	Enterprise Manager Base Platform	13.4.0.0
Oracle	Financial Services Revenue Management And Billing Analytics	2.7.0.0
Oracle	Healthcare Foundation	8.1.0
Oracle	Hyperion Data Relationship Management	< 11.2.8.0
Oracle	Hyperion Infrastructure Technology	< 11.2.8.0
Oracle	Identity Management Suite	12.2.1.3.0
Oracle	Identity Manager Connector	11.1.1.5.0

Related Weaknesses (CWE)

CWE-502

References

https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhhMailing ListVendor Advisory
https://logging.apache.org/log4j/1.2/index.htmlVendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhhMailing ListVendor Advisory
https://logging.apache.org/log4j/1.2/index.htmlVendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2022-23307?

CVE-2022-23307 is a vulnerability with a CVSS score of 8.8 (HIGH). CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

How severe is CVE-2022-23307?

CVE-2022-23307 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-23307?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Chainsaw, Apache Log4J, Qos Reload4J, Oracle Advanced Supply Chain Planning, Oracle Business Intelligence.