CVE-2022-23307: log4j: Unsafe deserialization flaw in Chainsaw log viewer

Bug #1969993 reported by Joe Slater
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Joe Slater

Bug Description

Found during March2022 CVE Scan

CVE-2022-23307:  log4j: Unsafe deserialization flaw in Chainsaw log viewer

Score:
cve_id status cvss2Score av ac au ai
CVE-2022-23307 fixed 10 N L N P

Description:
CVE-2022-23307: CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-23307
https://access.redhat.com/security/cve/CVE-2022-23307

• The 3 CVEs are fixed by CentOS per this announcement: [https://lists.centos.org/pipermail/centos-announce/2022-February/073555.html]

Required Package Versions:

log4j-1.2.17-18.el7_4.noarch.rpm

Packages:
log4j

CVE References

Changed in starlingx:
assignee: nobody → Joe Slater (jslater0wind)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/839248

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/839248
Committed: https://opendev.org/starlingx/tools/commit/2723cbfe5aaae63089f46e6fe202524d43bf5154
Submitter: "Zuul (22348)"
Branch: master

commit 2723cbfe5aaae63089f46e6fe202524d43bf5154
Author: Joe Slater <email address hidden>
Date: Fri Apr 22 16:28:49 2022 -0400

    log4j: fix CVE-2022-23307

    Unsafe deserialization in chainsaw. Advance to
    version 1.2.17-18.el7_4.

    === Testing ===
    build-pkgs/build-iso and boot.

    log4j is not in the runtime system, nor is it in
    the mock build environment.
    ===

    Closes-bug: 1969993
    Signed-off-by: Joe Slater <email address hidden>
    Change-Id: I0e16887da7c22173c0c05c60a49bf026521d93a7

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
tags: added: stx.7.0 stx.security
Changed in starlingx:
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.