EGI SVG Advisories


Title:   EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk log4j version 1.2 
         chainsaw vulnerability - limited exposure in EGI - CVE-2022-23307 

Date:        2022-01-28
Updated:     2022-02-02, 2022-02-08

Affected software and risk

'CRITICAL' risk vulnerability concerning the chainsaw component in log4j 1.2

Package   : log4j 1.2
CVE ID    : CVE-2022-23307

A critical vulnerability has been announced in the chainsaw component of 
log4j 1.2. [R 1], [R 2]. The chainsaw component if used to ingest logs can
be tricked into running code injected into those logs.

This old version (out of support since 2015) is used on the PerfSonar nodes, 
but the EGI SVG is not aware of any usage of the chainsaw component in EGI 
to ingest logs. 

**UPDATE 2022-02-02 ** 

More information/corrections concerning PerfSonar, dCache, and RedHat

Actions required/recommended

Any site using log4j 1.2 is recommended to either update to a recent 
non-vulnerable version of log4j or to disable the chainsaw component. 

Component installation information

No Patch is available for log4j 1.2, which has been out of support since 
2015 [R 1]

Sites may upgrade to the most recent version of log4j if it is possible. 


**UPDATE 2022-02-02 **

Chainsaw should not be used to view logs.

chainsaw may be removed where the version of log4j from apache is installed using

zip -q -d log4j-*.jar org/apache/log4j/chainsaw/*   [R 4]

For PerfSonar, where log4j is part of the cassandra distribution:--

Where chainsaw is installed but not used apply the mitigation  [R 3]

zip -q -d /usr/share/cassandra/lib/log4j*.jar  org/apache/log4j/chainsaw/*

systemctl restart cassandra

A new esmond RPM (4.4.2-2) has been uploaded that should do the equivalent of 
this command in [R 3]. Sites running auto-updates should get the change shortly, 
otherwise a “yum update esmond” will get the new package.

For dCache:--

The dCache team has already contacted sites.

dCache admins have the following options:

- if then run embedded zookeeper: just ignore the advisory
- if they use provided zookeeper rpm - update rpms
- if they use tarball packages from apache either apply fix manually
  or switch to rpms provided by dCache

More information

From [R 1] the extent to which this vulnerability is likely to be a problem 
for EGI is limited, but the EGI SVG cannot rule out other uses.  

One Site has tested disabling chainsaw on a PerfSonar node and no problems 
were found.

**UPDATE 2022-02-02**

More information concerning RedHat is available at [R 4] 

EGI SVG is not aware of any site actually using chainsaw, but as a precaution 
sites where log4j-1* is installed should disable chainsaw. 


** WHITE information - Unlimited distribution
 - see for
   distribution restrictions **
Minor updates may be made without re-distribution to the sites


Comments or questions should be sent to svg-rat  at

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at

the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 99]. 

Note that this is undergoing revision.


[R 1]

[R 2] 

[R 3]

[R 4]

[R 99]


SVG was alerted to this vulnerability by David Crooks 

Yyyy-mm-dd  [EGI-SVG-2022-CVE-2022-23307] 

2022-01-24 SVG alerted to this issue by David Crooks
2022-01-24 Acknowledgement from the EGI SVG to the reporter 
2022-01-24 Investigation of vulnerability and relevance to EGI carried out, including testing that the mitigation 
2022-01-26 EGI SVG Risk Assessment completed 
2022-01-28 Advisory sent to sites
2022-02-02 Advisory updated 

This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
This advisory is subject to the Creative commons licence and 
the EGI Software Vulnerability Group must be credited. 
On behalf of the EGI SVG,