How CVE-2022-23307 affect Xeams

National Institute of Standards and Technology (NIST) logged in a new vulnerability regarding Chainsaw, which also affects Log4J on Jan 18, 2022. Log4J is a common library from Apache Foundation used in products published by many companies, including the Xeams.

Chainsaw is a GUI-based application that can be used to view log files. Although Xeams does not use this application internally, a third-party library used in Xeams includes this application. Therefore, a user with malicious intent and access to the machine running Xeams could run this application.

Patching Your End

Note: The following steps are not necessary if you downloaded Xeams after August 01, 2022.

Although Xeams is not directly affected, out of an abundance of caution, follow the steps below if you would like to patch this library on your end.

  • Download a modified version of log4j.jar from here. This modified version does not contain classes for Chainsaw, SocketServer, and JMSAppender. Since these classes are not used, you will not get any runtime errors in Xeams.
  • The MD5 signature of the downloaded file should be 22486aa01a6352b8c6068cf9dd545221
  • Stop the Xeams
  • Replace the downloaded file with the one on your machine. Use the following table to determine the actual location: Software Operating System Location Xeams Windows C:\Xeams\lib Xeams Linux /opt/Xeams/lib
  • Restart Xeams once file is replaced

Confirming you're not affected

Follow steps below to confirm you're not using the affected version.

On Linux

  • Open a Terminal/SSH session and change directory to the $INSTALL_DIR, which will most likely be /opt/Xeams
  • Type the following command: 
    unzip -l lib/log4j.jar | grep -i chainsaw
  • You should see an empty result. If the above command returns a list of file names, download the JAR file from here and replace it.

On Windows

  • Open a Windows File Explorer and change directory to C:\Xeams\libs
  • Copy log4j.jar to another folder, such as C:\Temp
  • Rename the file from log4j.jar to log4j.zip.
  • Double click the file to open the zipped archive
  • Ensure you do not see a sub-folder called org\apache\log4j\chainsaw. If you see this folder, download the JAR file from here and replace it with the file in C:\Xeams\lib.