PatchSiren cyber security CVE debrief

CVE-2022-23307 Apache Software Foundation CVE debrief

CVE-2022-23307 covers an insecure deserialization issue tied to Apache Chainsaw and, before Chainsaw 2.0, the Chainsaw component shipped with Apache Log4j 1.2.x. NVD scores it High (8.8) and lists affected Apache, reload4j, and multiple Oracle product CPEs, so the practical risk is broader than a standalone Apache installation.

Vendor: Apache Software Foundation
Product: Apache Log4j 1.x
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2022-01-18
Original CVE updated: 2024-11-21
Advisory published: 2022-01-18
Advisory updated: 2024-11-21

Who should care

Security and platform teams responsible for Apache Log4j 1.2.x, Apache Chainsaw, reload4j, or Oracle products listed in NVD's affected CPE set. Prioritize environments that still package older logging components in application servers, middleware, or management tooling.

Technical summary

The CVE description states that the same deserialization issue identified as CVE-2020-9493 in Apache Chainsaw was also present where Chainsaw was a component of Apache Log4j 1.2.x prior to Chainsaw V2.0. NVD classifies the weakness as CWE-502 and assigns CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The CPE list marks Apache Chainsaw versions before 2.1.0, Apache Log4j 1.2.x before 2.0, reload4j before 1.2.18.1, and numerous Oracle products as vulnerable; review any deployment that includes those components or embeds them indirectly.

Defensive priority

High. The issue is network-reachable, low-complexity, and has high confidentiality, integrity, and availability impact in NVD's scoring, even though authenticated privileges are required.

Recommended defensive actions

Inventory applications, middleware, and appliances for Apache Chainsaw, Apache Log4j 1.2.x, reload4j, and Oracle products named in the NVD CPE list.
Remove or upgrade vulnerable logging components; for reload4j, verify the deployed version is at least 1.2.18.1 if it is used as a Log4j 1.2 replacement.
Apply the vendor guidance in the Apache Log4j 1.2 advisory and Oracle CPU references listed by NVD, and confirm the fixed component actually ships in the deployed build.
Check for embedded or transitive copies of Log4j 1.2.x or Chainsaw inside application bundles, plugins, and server distributions rather than relying on top-level package version checks.
Re-test exposed systems after remediation to confirm the vulnerable classes and archives are no longer present.

Evidence notes

Based only on the supplied CVE record and NVD references: the description links the issue to Apache Chainsaw and Apache Log4j 1.2.x; NVD maps the weakness to CWE-502; and the affected CPE set explicitly includes Apache Chainsaw <2.1.0, Apache Log4j 1.2.x <2.0, reload4j <1.2.18.1, plus multiple Oracle product families. References provided by NVD include the Apache mailing list advisory, the Apache Log4j 1.2 page, and Oracle CPU advisories from April and July 2022.

Official resources

CVE-2022-23307 CVE record
CVE.org
CVE-2022-23307 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory

Publicly disclosed in the CVE record on 2022-01-18. No KEV listing is present in the supplied data.