CVE-2022-23307

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

CVSS v3 8.8 HIGH
CVSS v2.0 9.0 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh	Mailing List Vendor Advisory
https://logging.apache.org/log4j/1.2/index.html	Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:chainsaw::::::::
	cpe:2.3:a:apache:log4j::::::::

Configuration 2 (hide)

cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:::::::*
	cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:::::::*
	cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0::::enterprise:::
	cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0::::enterprise:::
	cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0::::enterprise:::
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:::::::*
	cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:::::::*
	cpe:2.3:a:oracle:communications_messaging_server:8.1:::::::*
	cpe:2.3:a:oracle:communications_network_integrity:7.3.6:::::::*
	cpe:2.3:a:oracle:communications_offline_mediation_controller::::::::
	cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:::::::*
	cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module::::::::
	cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:::::::*
	cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:::::::*
	cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:::::::*
	cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:::::::*
	cpe:2.3:a:oracle:healthcare_foundation:8.1.0:::::::*
	cpe:2.3:a:oracle:hyperion_data_relationship_management::::::::
	cpe:2.3:a:oracle:hyperion_infrastructure_technology::::::::
	cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:::::::*
	cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
	cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:::::::*
	cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

History

24 Feb 2023, 15:29

Type	Values Removed	Values Added
References	~~(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -~~	(N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:oracle:communications_offline_mediation_controller:::::::: cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:::::::* cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:::::::* cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:::::::*
First Time		Oracle communications Instant Messaging Server Oracle communications Offline Mediation Controller Oracle retail Extract Transform And Load

25 Jul 2022, 18:21

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

16 Jun 2022, 21:16

Type	Values Removed	Values Added
References	~~(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
First Time		Oracle communications Unified Inventory Management Oracle communications Eagle Ftp Table Base Retrieval Oracle tuxedo Oracle financial Services Revenue Management And Billing Analytics Oracle business Intelligence Oracle identity Manager Connector Oracle communications Messaging Server Oracle healthcare Foundation Oracle identity Management Suite Oracle middleware Common Libraries And Tools Oracle mysql Enterprise Monitor Oracle hyperion Infrastructure Technology Oracle jdeveloper Oracle enterprise Manager Base Platform Oracle business Process Management Suite Oracle advanced Supply Chain Planning Oracle communications Network Integrity Oracle e-business Suite Cloud Manager And Cloud Backup Module Oracle hyperion Data Relationship Management Oracle Oracle weblogic Server
CPE		cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:::::::* cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:::::::* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:::::::* cpe:2.3:a:oracle:hyperion_infrastructure_technology:::::::: cpe:2.3:a:oracle:hyperion_data_relationship_management:::::::: cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::* cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:::::::* cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:::::::* cpe:2.3:a:oracle:communications_messaging_server:8.1:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::* cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0::::enterprise::: cpe:2.3:a:oracle:healthcare_foundation:8.1.0:::::::* cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:::::::: cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:::::::* cpe:2.3:a:oracle:mysql_enterprise_monitor:::::::: cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:::::::* cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:::::::* cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:::::::* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::* cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:::::::* cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0::::enterprise::: cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:::::::* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:::::::* cpe:2.3:a:oracle:communications_network_integrity:7.3.6:::::::* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::* cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:::::::* cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:::::::* cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0::::enterprise::: cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*

20 Apr 2022, 00:16

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

14 Apr 2022, 16:42

Type	Values Removed	Values Added
CVSS	v2 : ~~10.0~~ v3 : ~~9.8~~	v2 : 9.0 v3 : 8.8

08 Apr 2022, 13:31

Type	Values Removed	Values Added
CPE		cpe:2.3:a:qos:reload4j::::::::
First Time		Qos reload4j Qos

24 Jan 2022, 18:30

Type	Values Removed	Values Added
First Time		Apache chainsaw Apache Apache log4j
CWE		CWE-502
References	~~(MISC) https://logging.apache.org/log4j/1.2/index.html -~~	(MISC) https://logging.apache.org/log4j/1.2/index.html - Vendor Advisory
References	~~(MISC) https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh -~~	(MISC) https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh - Mailing List, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 10.0 v3 : 9.8
CPE		cpe:2.3:a:apache:chainsaw:::::::: cpe:2.3:a:apache:log4j::::::::

18 Jan 2022, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-01-18 16:15

Updated : 2023-12-10 14:09

NVD link : CVE-2022-23307

Mitre link : CVE-2022-23307

CVE.ORG link : CVE-2022-23307

JSON object : View

Products Affected

qos

reload4j

oracle

tuxedo
healthcare_foundation
e-business_suite_cloud_manager_and_cloud_backup_module
communications_instant_messaging_server
identity_management_suite
middleware_common_libraries_and_tools
jdeveloper
communications_unified_inventory_management
enterprise_manager_base_platform
communications_eagle_ftp_table_base_retrieval
communications_messaging_server
financial_services_revenue_management_and_billing_analytics
identity_manager_connector
communications_offline_mediation_controller
communications_network_integrity
hyperion_infrastructure_technology
business_intelligence
weblogic_server
advanced_supply_chain_planning
business_process_management_suite
retail_extract_transform_and_load
hyperion_data_relationship_management
mysql_enterprise_monitor

apache

log4j
chainsaw

CWE

CWE-502

Deserialization of Untrusted Data

8.8 /10