oss-sec mailing list archives

CVE-2020-9493: Apache Chainsaw: Java deserialization in Chainsaw

From: Robert Middleton <rmiddleton () apache org>
Date: Tue, 15 Jun 2021 22:50:07 -0400

Reply-to: general () logging apache org

Description:

A deserialization flaw was found in Apache Chainsaw versions prior to
2.1.0 which could lead to malicious code execution.

Mitigation:

Don't configure Chainsaw to read serialized log events.  Use a
different receiver, such as XMLSocketReceiver

Credit:

This issue was reported by @kingkk

Current thread:

CVE-2020-9493: Apache Chainsaw: Java deserialization in Chainsaw Robert Middleton (Jun 15)