How CVE 2022-23307 Affect Products From Synametrics

National Institute of Standards and Technology (NIST) logged in a new vulnerability regarding Chainsaw, which also affected Log4J on Jan 18, 2022. Log4J is a common library from Apache Foundation used in products published by many companies, including the Xeams.

Chainsaw is a GUI-based application that can be used to view log files. Although Xeams does not use this application internally, a third-party library used in Xeams includes this application. Therefore, a user with malicious intent and access to the machine running Xeams could run this application.

Syncrify/SynaMan

Log4J is used in two components:

1. The application itself. Simply upgrade to the latest build of Syncrify/SynaMan to handle this situation.
2. AppLauncher.jar, which is used to restart Syncrify/SynaMan. This file is not updated automatically. Therefore, follow the steps below to update this file.
   • Download the update file from here and replace it with the existing file, which is in $INSTALL_DIR\patches folder.
   • Restart SynaMan/Syncrify to ensure it is able to restart itself.

Confirming you're not affected

Follow the steps below to confirm you're not using the affected version.

On Linux

• Open a Terminal/SSH session and change directory to the $INSTALL_DIR, which will most likely be /opt/Syncrify or /opt/SynaMan
• Type the following command:

  unzip -l lib/SynaMan.jar | grep -i chainsaw

  unzip -l patches/AppLauncher.jar | grep -i chainsaw

• None of these commands should return any results. Replace SynaMan.jar with Syncrify.jar if necessary.

On Windows

• Open a Windows File Explorer and change directory to the installation folder, which could be either in C: or in C:\Program Files
• Copy patches/AppLauncher.jar to another folder, such as C:\Temp .
• Rename the file from AppLauncher.jar to AppLauncher.zip.
• Double click the file to open the zipped archive.
• Ensure you do not see a sub-folder called org\apache\log4j\chainsaw.
• Repeat this process with SynaMan.jar or Syncrify.jar, whichever is applicable in your case.

Related Articles

• Details about CVE-2022-26250 and CVE-2022-26251
• How CVE-2022-22965 (Spring4Shell) affect products from Synametrics
• How CVE-2021-45105 affect products from Synametrics
• How CVE-2021-44228 affect products from Synametrics
• How CVE-2021-4104 affect products from Synametrics
• How CVE-2019-17571 affect products from Synametrics