CVE 2022-23307 impact gateway 9.4 ?
search cancel

CVE 2022-23307 impact gateway 9.4 ?

book

Article ID: 235302

calendar_today

Updated On:

Products

API SECURITY

Issue/Introduction

GW 9.4 is impacted by this  CVE 2022-23307  and when a patch for gateway 9.4 will be provided?

 

Environment

Release : 9.4

Component : API GATEWAY

Resolution

Gw 9.4 does not use those jar files, however if exists on the gw server we suggests to remove them as mentioned before

1. take a vm snapshot first.

2. To remove the offending classes manually, 

You can follow this list of vulnerable classes removed from jar

zip -d <PAX Logging JAR PATH>/pax-logging-service-1.8.1.jar org/apache/log4j/chainsaw/*
zip -d <PAX Logging JAR PATH>/pax-logging-service-1.8.1.jar org/apache/log4j/net/SocketServer.class
zip -d <PAX Logging JAR PATH>/pax-logging-service-1.8.1.jar org/apache/log4j/net/JMSAppender.class
zip -d <PAX Logging JAR PATH>/pax-logging-service-1.8.1.jar org/apache/log4j/net/JMSSink.class
zip -d <PAX Logging JAR PATH>/pax-logging-service-1.8.1.jar org/apache/log4j/jdbc/JDBCAppender.class

This will remove problematic classes that are embedded

Powered by Wolken Software