CVE-2022-23307

NameCVE-2022-23307
DescriptionCVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2905-1, ELA-557-1
Debian Bugs1004482

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache-log4j1.2 (PTS)jessie, jessie (lts)1.2.17-5+deb8u2fixed
stretch (security), stretch (lts), stretch1.2.17-7+deb9u2fixed
buster1.2.17-8+deb10u2fixed
buster (security), buster (lts)1.2.17-8+deb10u1vulnerable
bullseye1.2.17-10+deb11u1fixed
sid, trixie, bookworm1.2.17-11fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache-log4j1.2sourcejessie1.2.17-5+deb8u2ELA-557-1
apache-log4j1.2sourcestretch1.2.17-7+deb9u2DLA-2905-1
apache-log4j1.2sourcebuster1.2.17-8+deb10u2
apache-log4j1.2sourcebullseye1.2.17-10+deb11u1
apache-log4j1.2source(unstable)1.2.17-111004482

Notes

https://www.openwall.com/lists/oss-security/2022/01/18/5
Search for package or bug name: Reporting problems