You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@heron.apache.org by "Windham Wong @ StormEye.io" <wi...@stormeye.io> on 2022/01/19 01:23:26 UTC

Fwd: [oss-security] CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.

We got another Log4j critical issue here..

Regards J,
*Windham Wong*
OSWE, OSCP, GCIA, Specialist in Cybersecurity
Co-Founder, Managing Partner of
*Stormeye.io, Hong Kong Managed Security Operation Center Limited*
Specialist in Cybersecurity, Log Management and SIEM System
<https://www.stormeye.io>
Email // windham.wong@stormeye.io
Phone // +852_3590_2212_|_+852_9832_0707 <tel:+85235902212>
Fax // +852_3590_2202 <tel:+852_3590_2202>



-------- Forwarded Message --------
Subject: 	[oss-security] CVE-2022-23307: Apache Log4j 1.x: A 
deserialization flaw in the Chainsaw component of Log4j 1 can lead to 
malicious code execution.
Date: 	Tue, 18 Jan 2022 14:42:56 +0000
From: 	Ralph Goers <rg...@apache.org>
Reply-To: 	oss-security@lists.openwall.com
To: 	oss-security@lists.openwall.com



Severity: Critical

Description:

CVE-2020-9493 identified a deserialization issue that was present in 
Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of 
Apache Log4j 1.2.x where the same issue exists.

Mitigation:

Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0.

Credit:

@kingkk

Re: [oss-security] CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.

Posted by Ning Wang <wa...@gmail.com>.

thanks. sigh.

On Fri, Jan 21, 2022 at 12:57 PM Nicholas Nezis <ni...@gmail.com>
wrote:

> I've created a Github issue here:
> https://github.com/apache/incubator-heron/issues/3762
>
> On Fri, Jan 21, 2022 at 3:54 PM Nicholas Nezis <ni...@gmail.com>
> wrote:
>
> > There is a log4j 1.x -> 2.x migration guide.
> > https://logging.apache.org/log4j/2.x/manual/migration.html
> >
> > They provide a bridge adapter that might help. I was planning to add that
> > dependency and set an explicit 2.17.1 log4j dependency and see if it
> works.
> >
> > On Wed, Jan 19, 2022 at 9:22 PM Josh Fischer <jo...@joshfischer.io>
> wrote:
> >
> >> Hi Windham,
> >>
> >> Do you have any idea of the level of complexity for us to upgrade log4j?
> >>
> >> On Tue, Jan 18, 2022 at 7:30 PM Windham Wong @ StormEye.io <
> >> windham.wong@stormeye.io> wrote:
> >>
> >> > We got another Log4j critical issue here..
> >> >
> >> > Regards J,
> >> > *Windham Wong*
> >> > OSWE, OSCP, GCIA, Specialist in Cybersecurity
> >> > Co-Founder, Managing Partner of
> >> > *Stormeye.io, Hong Kong Managed Security Operation Center Limited*
> >> > Specialist in Cybersecurity, Log Management and SIEM System
> >> > <https://www.stormeye.io>
> >> > Email // windham.wong@stormeye.io
> >> > Phone // +852_3590_2212_|_+852_9832_0707 <tel:+85235902212>
> >> > Fax // +852_3590_2202 <tel:+852_3590_2202>
> >> >
> >> >
> >> >
> >> > -------- Forwarded Message --------
> >> > Subject:        [oss-security] CVE-2022-23307: Apache Log4j 1.x: A
> >> > deserialization flaw in the Chainsaw component of Log4j 1 can lead to
> >> > malicious code execution.
> >> > Date:   Tue, 18 Jan 2022 14:42:56 +0000
> >> > From:   Ralph Goers <rg...@apache.org>
> >> > Reply-To:       oss-security@lists.openwall.com
> >> > To:     oss-security@lists.openwall.com
> >> >
> >> >
> >> >
> >> > Severity: Critical
> >> >
> >> > Description:
> >> >
> >> > CVE-2020-9493 identified a deserialization issue that was present in
> >> > Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of
> >> > Apache Log4j 1.2.x where the same issue exists.
> >> >
> >> > Mitigation:
> >> >
> >> > Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0.
> >> >
> >> > Credit:
> >> >
> >> > @kingkk
> >> >
> >>
> >
>

Re: [oss-security] CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.

Posted by Nicholas Nezis <ni...@gmail.com>.

I've created a Github issue here:
https://github.com/apache/incubator-heron/issues/3762

On Fri, Jan 21, 2022 at 3:54 PM Nicholas Nezis <ni...@gmail.com>
wrote:

> There is a log4j 1.x -> 2.x migration guide.
> https://logging.apache.org/log4j/2.x/manual/migration.html
>
> They provide a bridge adapter that might help. I was planning to add that
> dependency and set an explicit 2.17.1 log4j dependency and see if it works.
>
> On Wed, Jan 19, 2022 at 9:22 PM Josh Fischer <jo...@joshfischer.io> wrote:
>
>> Hi Windham,
>>
>> Do you have any idea of the level of complexity for us to upgrade log4j?
>>
>> On Tue, Jan 18, 2022 at 7:30 PM Windham Wong @ StormEye.io <
>> windham.wong@stormeye.io> wrote:
>>
>> > We got another Log4j critical issue here..
>> >
>> > Regards J,
>> > *Windham Wong*
>> > OSWE, OSCP, GCIA, Specialist in Cybersecurity
>> > Co-Founder, Managing Partner of
>> > *Stormeye.io, Hong Kong Managed Security Operation Center Limited*
>> > Specialist in Cybersecurity, Log Management and SIEM System
>> > <https://www.stormeye.io>
>> > Email // windham.wong@stormeye.io
>> > Phone // +852_3590_2212_|_+852_9832_0707 <tel:+85235902212>
>> > Fax // +852_3590_2202 <tel:+852_3590_2202>
>> >
>> >
>> >
>> > -------- Forwarded Message --------
>> > Subject:        [oss-security] CVE-2022-23307: Apache Log4j 1.x: A
>> > deserialization flaw in the Chainsaw component of Log4j 1 can lead to
>> > malicious code execution.
>> > Date:   Tue, 18 Jan 2022 14:42:56 +0000
>> > From:   Ralph Goers <rg...@apache.org>
>> > Reply-To:       oss-security@lists.openwall.com
>> > To:     oss-security@lists.openwall.com
>> >
>> >
>> >
>> > Severity: Critical
>> >
>> > Description:
>> >
>> > CVE-2020-9493 identified a deserialization issue that was present in
>> > Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of
>> > Apache Log4j 1.2.x where the same issue exists.
>> >
>> > Mitigation:
>> >
>> > Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0.
>> >
>> > Credit:
>> >
>> > @kingkk
>> >
>>
>

Re: [oss-security] CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.

Posted by Nicholas Nezis <ni...@gmail.com>.

There is a log4j 1.x -> 2.x migration guide.
https://logging.apache.org/log4j/2.x/manual/migration.html

They provide a bridge adapter that might help. I was planning to add that
dependency and set an explicit 2.17.1 log4j dependency and see if it works.

On Wed, Jan 19, 2022 at 9:22 PM Josh Fischer <jo...@joshfischer.io> wrote:

> Hi Windham,
>
> Do you have any idea of the level of complexity for us to upgrade log4j?
>
> On Tue, Jan 18, 2022 at 7:30 PM Windham Wong @ StormEye.io <
> windham.wong@stormeye.io> wrote:
>
> > We got another Log4j critical issue here..
> >
> > Regards J,
> > *Windham Wong*
> > OSWE, OSCP, GCIA, Specialist in Cybersecurity
> > Co-Founder, Managing Partner of
> > *Stormeye.io, Hong Kong Managed Security Operation Center Limited*
> > Specialist in Cybersecurity, Log Management and SIEM System
> > <https://www.stormeye.io>
> > Email // windham.wong@stormeye.io
> > Phone // +852_3590_2212_|_+852_9832_0707 <tel:+85235902212>
> > Fax // +852_3590_2202 <tel:+852_3590_2202>
> >
> >
> >
> > -------- Forwarded Message --------
> > Subject:        [oss-security] CVE-2022-23307: Apache Log4j 1.x: A
> > deserialization flaw in the Chainsaw component of Log4j 1 can lead to
> > malicious code execution.
> > Date:   Tue, 18 Jan 2022 14:42:56 +0000
> > From:   Ralph Goers <rg...@apache.org>
> > Reply-To:       oss-security@lists.openwall.com
> > To:     oss-security@lists.openwall.com
> >
> >
> >
> > Severity: Critical
> >
> > Description:
> >
> > CVE-2020-9493 identified a deserialization issue that was present in
> > Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of
> > Apache Log4j 1.2.x where the same issue exists.
> >
> > Mitigation:
> >
> > Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0.
> >
> > Credit:
> >
> > @kingkk
> >
>

Re: [oss-security] CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.

Posted by Josh Fischer <jo...@joshfischer.io>.

Hi Windham,

Do you have any idea of the level of complexity for us to upgrade log4j?

On Tue, Jan 18, 2022 at 7:30 PM Windham Wong @ StormEye.io <
windham.wong@stormeye.io> wrote:

> We got another Log4j critical issue here..
>
> Regards J,
> *Windham Wong*
> OSWE, OSCP, GCIA, Specialist in Cybersecurity
> Co-Founder, Managing Partner of
> *Stormeye.io, Hong Kong Managed Security Operation Center Limited*
> Specialist in Cybersecurity, Log Management and SIEM System
> <https://www.stormeye.io>
> Email // windham.wong@stormeye.io
> Phone // +852_3590_2212_|_+852_9832_0707 <tel:+85235902212>
> Fax // +852_3590_2202 <tel:+852_3590_2202>
>
>
>
> -------- Forwarded Message --------
> Subject:        [oss-security] CVE-2022-23307: Apache Log4j 1.x: A
> deserialization flaw in the Chainsaw component of Log4j 1 can lead to
> malicious code execution.
> Date:   Tue, 18 Jan 2022 14:42:56 +0000
> From:   Ralph Goers <rg...@apache.org>
> Reply-To:       oss-security@lists.openwall.com
> To:     oss-security@lists.openwall.com
>
>
>
> Severity: Critical
>
> Description:
>
> CVE-2020-9493 identified a deserialization issue that was present in
> Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of
> Apache Log4j 1.2.x where the same issue exists.
>
> Mitigation:
>
> Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0.
>
> Credit:
>
> @kingkk
>