By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2020-9493

Code Injection
Affects
Apache Log4j
in
Apache Log4j
No items found.
Versions
>= 1.2, <= 1.2.17
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Apache Chainsaw is a visualization and monitoring application used for analyzing logs generated by the Log4j framework. Chainsaw provides multiple ways to receive logs over network sockets, including serialized Java objects transmitted remotely.

A critical remote code execution vulnerability (CVE-2020-9493) was caused by unsafe deserialization of untrusted data received over network connections. An attacker can craft malicious serialized Java objects that Chainsaw will deserialize automatically, resulting in arbitrary code execution.

This flaw also indirectly impacts Apache Log4j 1.x, which contains similar receiver logic (such as SocketReceiver, JMSSink, and Chainsaw-compatible appenders) that perform unsafe deserialization of log events. Because Log4j 1.x is end-of-life, it never received a fix, leaving applications using Chainsaw-related components exposed to remote code execution.

Per OWASP: Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation.

This vulnerability is considered critical and can be exploited without authentication when Chainsaw or Log4j1 socket receivers are exposed to untrusted networks.

Details

Module Info

Vulnerability Info

This critical vulnerability is caused by unsafe deserialization of untrusted Java objects transmitted to Chainsaw or Log4j1 receivers. When enabled, these components automatically deserialize incoming network data as log events. An attacker can send a specially crafted serialized payload that triggers:

  • arbitrary code execution
  • full remote system compromise
  • takeover of the logging host
  • execution of attacker-supplied classes

Because many deployments historically exposed Chainsaw receivers on internal networks without robust filtering or authentication, exploitation can occur with minimal effort.

Log4j 1.x shares the same deserialization logic for Chainsaw compatibility and remains vulnerable because the project reached end-of-life in 2015.

Steps To Reproduce

  • Deploy a vulnerable instance of the log visualization utility and enable a network-based receiver to listen for serialized event streams.
  • Generate a malicious serialized object payload utilizing a gadget chain capable of invoking system-level commands upon reconstruction.
  • Transmit the byte stream to the listening service to trigger an unauthenticated deserialization process that executes the embedded command on the host.

Mitigation

Apache Log4j 1.x has been end-of-life since 2015 and no longer receives community updates. Users of the affected component should apply one of the following mitigations:

Users of Log4j 1.x should apply the following mitigations:

  • Upgrade affected applications to supported versions of Log4j
  • Leverage a commercial support partner like HeroDevs for post-EOL security support
  • Disable Chainsaw receivers and Log4j 1.x SocketReceiver/JMSSink functionality
  • Avoid deserialization-based log transport mechanisms
  • Migrate to Log4j 2.x, which does not expose this vulnerability

Pink arrow
Pink arrow
CVE-2022-23307
CVE-2021-4104
CVE-2020-9488
CVE-2022-23305
CVE-2020-9493
CVE-2022-23302
CVE-2019-17571
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2020-9493
PROJECT Affected
Apache Log4j
Versions Affected
>= 1.2, <= 1.2.17
NES Versions Affected
Published date
January 5, 2026
≈ Fix date
December 9, 2025
Fixed in
NES for Apache Log4j
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Critical
Category
Code Injection
Sign up for the latest vulnerability alerts fixed in
NES for Apache Log4j
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.