CVE-2020-9493: 
Homebrew vulnerability analysis and mitigation

A deserialization flaw (CVE-2020-9493) was discovered in Apache Chainsaw versions prior to 2.1.0. The vulnerability was initially reported by security researcher @kingkk and was later found to also affect Log4j 1.x versions, as Chainsaw was a component of Apache Log4j 1.2.x (NVD, OSS Security).

The vulnerability stems from an untrusted deserialization issue in the Chainsaw component. The flaw is present in the LoggingReceiver class, specifically within the run() method of its Slurper nested class, where the Serializable interface's readObject() method is invoked without proper object type verification or deserialization restrictions (Sonatype Blog).

The vulnerability could lead to malicious code execution when exploited. An attacker who can send a malicious payload to the vulnerable Chainsaw version could potentially trigger arbitrary code execution, potentially resulting in unauthorized system access and data breaches (OSS Security, Sonatype Blog).

Users are advised not to configure Chainsaw to read serialized log events and instead use a different receiver, such as XMLSocketReceiver. For a complete fix, users should upgrade to Apache Chainsaw 2.1.0 or later. Additionally, since Log4j 1.x is end-of-life, users are recommended to upgrade to the latest Log4j 2.x version (OSS Security, Sonatype Blog).