====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN323
_____________________________________________________________________

DATE                : 16/06/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Chainsaw versions prior to
                                         2.1.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202106.mbox/%3cCAKpcJVYub=pfCypV+SrvAemVdFO-8qiz2pmfDOqj1deVsrj-Yw@mail.gmail.com%3e
_____________________________________________________________________

CVE-2020-9493 Apache Chainsaw: Java deserialization in Chainsaw


Description:

A deserialization flaw was found in Apache Chainsaw versions prior to
2.1.0 which could lead to malicious code execution.

Mitigation:

Don't configure Chainsaw to read serialized log events.  Use a
different receiver, such as XMLSocketReceiver

Credit:

This issue was reported by @kingkk



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================