REDHAT-BUG-2041967
First published: Tue Jan 18 2022(Updated: )
A deserialization flaw was found in Apache log4j 1.2.x. While reading serialized log events, they are improperly deserialized. Note this is the same as <a href="https://access.redhat.com/security/cve/CVE-2020-9493">CVE-2020-9493</a> which identified a deserialization issue in Apache Chainsaw. Prior to Chainsaw V2.0, Chainsaw was a component of Apache Log4j 1.2.x. References: <a href="https://www.openwall.com/lists/oss-security/2022/01/18/5">https://www.openwall.com/lists/oss-security/2022/01/18/5</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Log4j | >=1.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2020-9493
- https://www.openwall.com/lists/oss-security/2022/01/18/5
- https://access.redhat.com/errata/RHSA-2022:0294
- https://access.redhat.com/errata/RHSA-2022:0290
- https://access.redhat.com/errata/RHSA-2022:0291
- https://access.redhat.com/errata/RHSA-2022:0289
- https://access.redhat.com/security/cve/cve-2022-23307
- https://access.redhat.com/errata/RHSA-2022:0430
- https://access.redhat.com/errata/RHSA-2022:0435
- https://access.redhat.com/errata/RHSA-2022:0436
- https://access.redhat.com/errata/RHSA-2022:0437
- https://access.redhat.com/errata/RHSA-2022:0438
- https://access.redhat.com/errata/RHSA-2022:0439
- https://access.redhat.com/errata/RHSA-2022:0442
- https://access.redhat.com/errata/RHSA-2022:0444
- https://access.redhat.com/errata/RHSA-2022:0446
- https://access.redhat.com/errata/RHSA-2022:0449
- https://access.redhat.com/errata/RHSA-2022:0448
- https://access.redhat.com/errata/RHSA-2022:0447
- https://access.redhat.com/errata/RHSA-2022:0445
- https://access.redhat.com/errata/RHSA-2022:0450
- https://access.redhat.com/errata/RHSA-2022:0467
- https://access.redhat.com/errata/RHSA-2022:0469
- https://access.redhat.com/errata/RHSA-2022:0475
- https://access.redhat.com/errata/RHSA-2022:0497
- https://access.redhat.com/errata/RHSA-2022:0507
- https://access.redhat.com/errata/RHSA-2022:0524
- https://access.redhat.com/errata/RHSA-2022:0527
- https://access.redhat.com/errata/RHSA-2022:0553
- https://access.redhat.com/errata/RHSA-2022:0661
- https://access.redhat.com/errata/RHSA-2022:1296
- https://access.redhat.com/errata/RHSA-2022:1297
- https://access.redhat.com/errata/RHSA-2022:1299
- https://access.redhat.com/errata/RHSA-2022:5458
- https://access.redhat.com/errata/RHSA-2022:5459
- https://access.redhat.com/errata/RHSA-2022:5460
- https://access.redhat.com/errata/RHSA-2024:5856
- https://access.redhat.com/errata/RHSA-2024:10207
- https://bugzilla.redhat.com/show_bug.cgi?id=2041967
Frequently Asked Questions
What is the severity of REDHAT-BUG-2041967?
The severity of REDHAT-BUG-2041967 is considered high due to the deserialization flaw that can lead to remote code execution.
How do I fix REDHAT-BUG-2041967?
To fix REDHAT-BUG-2041967, upgrade Apache log4j to version 1.2.17 or later, which addresses the deserialization issue.
What versions of Apache log4j are affected by REDHAT-BUG-2041967?
Apache log4j versions 1.2.0 to 1.2.16 are affected by REDHAT-BUG-2041967.
Is REDHAT-BUG-2041967 related to any other vulnerabilities?
Yes, REDHAT-BUG-2041967 is related to CVE-2020-9493, which also identifies a deserialization issue in Apache Chainsaw.
What are the potential impacts of REDHAT-BUG-2041967?
The potential impacts of REDHAT-BUG-2041967 include data compromise and unauthorized command execution due to the deserialization flaw.
- agent/type
- agent/first-publish-date
- agent/severity
- agent/description
- agent/event
- agent/references
- agent/trending
- agent/source
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-23307
- agent/last-modified-date
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/apache log4j