CVE-2022-23437 — MEDIUM (6.5)

Q: How severe is CVE-2022-23437?

CVE-2022-23437 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-23437?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Xerces-J, Oracle Agile Engineering Data Management, Oracle Agile Plm, Oracle Banking Deposits And Lines Of Credit Servicing, Oracle Banking Party Management.

Vulnerability Description

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Xerces-J	<= 2.12.1
Oracle	Agile Engineering Data Management	6.2.1.0
Oracle	Agile Plm	9.3.6
Oracle	Banking Deposits And Lines Of Credit Servicing	2.7
Oracle	Banking Party Management	2.7.0
Oracle	Communications Asap	7.3
Oracle	Communications Element Manager	< 9.0
Oracle	Communications Session Report Manager	< 9.0
Oracle	Communications Session Route Manager	< 9.0
Oracle	Financial Services Analytical Applications Infrastructure	>= 8.0.6.0.0, <= 8.0.9.0
Oracle	Financial Services Behavior Detection Platform	>= 8.0.6.0.0, <= 8.0.8.0
Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.2.0
Oracle	Financial Services Enterprise Case Management	8.0.7.1
Oracle	Flexcube Universal Banking	12.4.0
Oracle	Global Lifecycle Management Nextgen Oui Framework	< 13.9.4.2.2
Oracle	Global Lifecycle Management Opatch	< 12.2.0.1.30
Oracle	Health Sciences Information Manager	>= 3.0.1, <= 3.0.5
Oracle	Ilearning	6.2
Oracle	Peoplesoft Enterprise Peopletools	8.58
Oracle	Primavera Gateway	>= 17.7, <= 17.12.11

Related Weaknesses (CWE)

CWE-835

References

http://www.openwall.com/lists/oss-security/2022/01/24/3Mailing ListThird Party Advisory
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dlMailing ListVendor Advisory
https://security.netapp.com/advisory/ntap-20221028-0005/Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2022/01/24/3Mailing ListThird Party Advisory
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dlMailing ListVendor Advisory
https://security.netapp.com/advisory/ntap-20221028-0005/Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2022-23437?

CVE-2022-23437 is a vulnerability with a CVSS score of 6.5 (MEDIUM). There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which...

How severe is CVE-2022-23437?

CVE-2022-23437 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-23437?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Xerces-J, Oracle Agile Engineering Data Management, Oracle Agile Plm, Oracle Banking Deposits And Lines Of Credit Servicing, Oracle Banking Party Management.