CVE-2022-23307
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Apache Log4j is a Java-based logging framework widely used across enterprise applications. Earlier versions of Log4j 1.x included various auxiliary components such as Apache Chainsaw, a GUI log viewer capable of remotely receiving log events.
CVE-2022-23307 identifies a critical deserialization vulnerability originally discovered in Apache Chainsaw. Prior to Chainsaw version 2.0, Chainsaw was bundled as a component within Apache Log4j 1.2.x. The insecure deserialization flaw present in Chainsaw also exists within Log4j 1.x, exposing systems to remote code execution when they process attacker-supplied serialized log data.
Per OWASP: Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation.
This vulnerability is considered critical and can be exploited without authentication when Chainsaw or Log4j1 socket receivers are exposed to untrusted networks.
Details
Module Info
- Product: Apache Log4j
- Affected packages: log4j
- Affected versions: >= 1.2, <= 1.2.17
- GitHub repository: https://github.com/apache/logging-log4j1
- Published packages: https://central.sonatype.com/artifact/log4j/log4j
- Package manager: Maven
- Fixed In: NES for Apache Log4j v1.2.18
Vulnerability Info
This critical vulnerability is caused by deserialization of untrusted data present in the Chainsaw component historically distributed with Log4j 1.2.x. When Log4j or Chainsaw receives serialized log events (via network transport or other mechanisms), the data is deserialized without proper validation. An attacker can exploit this behavior by sending malicious serialized payloads that trigger arbitrary code execution.
Log4j 1.x shares the same deserialization logic for Chainsaw compatibility and remains vulnerable because the project reached end-of-life in 2015.
Steps To Reproduce
- Initiate a listener using the Log4j Chainsaw utility or a compatible interface to prepare the environment for incoming log events.
- Configure a remote logging client to transmit data to the designated listener using a specific network appender and XML-based socket settings.
- Embed a custom serializable object within the logging context so that its delivery triggers an automated state change upon deserialization at the receiver end.
Mitigation
Apache Log4j 1.x has been end-of-life since 2015 and no longer receives community updates. Users of the affected component should apply one of the following mitigations:
Users of Log4j 1.x should apply the following mitigations:
- Upgrade affected applications to supported versions of Log4j
- Leverage a commercial support partner like HeroDevs for post-EOL security support
- Disable Chainsaw receivers and Log4j 1.x SocketReceiver/JMSSink functionality
- Avoid deserialization-based log transport mechanisms
- Migrate to Log4j 2.x, which does not expose this vulnerability
