CVE-2022-23307
Deserialization vulnerability in log4j:log4j
What is CVE-2022-23307 About?
This vulnerability is a deserialization issue present in Apache Log4j 1.2.x, specifically within the Chainsaw component. It allows an attacker to execute arbitrary code by supplying specially crafted serialized objects. This is a critical vulnerability that can potentially lead to full system compromise. Exploitation is relatively easy once an attacker can provide malicious serialized data.
Affected Software
- log4j:log4j
- <=1.2.17
- org.zenframework.z8.dependencies.commons:log4j-1.2.17
- <=2.0
Technical Details
CVE-2022-23307 is a re-identification of a deserialization vulnerability (CVE-2020-9493) found in Apache Chainsaw, which prior to V2.0 was a component of Apache Log4j 1.2.x. The vulnerability arises because Log4j 1.2.x, particularly when handling `org.apache.log4j.chainsaw.Chainsaw` related configurations or network communications, uses insecure deserialization. When the application processes untrusted serialized data, an attacker can embed malicious objects within this data. Upon deserialization, these objects can trigger arbitrary code execution in the context of the application. This is a common deserialization pattern, often leading to remote code execution due to the application blindly reconstructing objects from untrusted input without proper validation or sandboxing.
What is the Impact of CVE-2022-23307?
Successful exploitation may allow attackers to execute arbitrary code on the server, leading to potential full system compromise, data theft, or data destruction.
What is the Exploitability of CVE-2022-23307?
Exploitation complexity is moderate to high, as it requires crafting specific serialized payloads. No authentication is directly required if the application accepts untrusted serialized input from unauthenticated sources. Privilege requirements are determined by the application's execution context. Exploitation can be remote if the application exposes an endpoint that processes untrusted serialized data (e.g., through remote method invocation, message queues, or network protocols). Special conditions include the application relying on Apache Log4j 1.2.x and processing untrusted serialized input. Risk factors increasing exploitation likelihood include outdated Log4j 1.2.x deployments, applications that don't validate integrity of serialized data, and scenarios where attackers can inject arbitrary serialized objects into a data stream processed by the application.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23307?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://logging.apache.org/log4j/1.2/index.html
- https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-23307
- https://logging.apache.org/log4j/1.2/index.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh
- https://osv.dev/vulnerability/GHSA-f7vh-qwp3-x37m
- https://www.oracle.com/security-alerts/cpuapr2022.html
What are Similar Vulnerabilities to CVE-2022-23307?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2017-7525 , CVE-2015-7450 , CVE-2019-12406 , CVE-2020-9493
