CVE-2022-23307

NameCVE-2022-23307
DescriptionCVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2905-1
Debian Bugs1004482

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache-log4j1.2 (PTS)stretch1.2.17-7+deb9u1vulnerable
stretch (security)1.2.17-7+deb9u2fixed
buster1.2.17-8+deb10u2fixed
buster (security)1.2.17-8+deb10u1vulnerable
bullseye1.2.17-10+deb11u1fixed
bookworm, sid1.2.17-11fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache-log4j1.2sourcestretch1.2.17-7+deb9u2DLA-2905-1
apache-log4j1.2sourcebuster1.2.17-8+deb10u2
apache-log4j1.2sourcebullseye1.2.17-10+deb11u1
apache-log4j1.2source(unstable)1.2.17-111004482

Notes

https://www.openwall.com/lists/oss-security/2022/01/18/5

Search for package or bug name: Reporting problems