Vulnerability Description
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Xalan-Java | <= 2.7.2 |
| Debian | Debian Linux | 10.0 |
| Oracle | Graalvm | 20.3.6 |
| Oracle | Jdk | 1.7.0 |
| Oracle | Jre | 1.7.0 |
| Oracle | Openjdk | >= 11, <= 11.0.15 |
| Fedoraproject | Fedora | 35 |
| Netapp | 7-Mode Transition Tool | - |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Cloud Insights Acquisition Unit | - |
| Netapp | Cloud Secure Agent | - |
| Netapp | Hci Management Node | - |
| Netapp | Oncommand Insight | - |
| Netapp | Solidfire | - |
| Netapp | Hci Compute Node | - |
| Azul | Zulu | 6.47 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.htmThird Party AdvisoryVDB Entry
- http://www.openwall.com/lists/oss-security/2022/07/19/5Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2022/07/19/6Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2022/07/20/2Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2022/07/20/3Mailing ListPatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2022/10/18/2Mailing ListPatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2022/11/04/8Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2022/11/07/2Mailing ListThird Party Advisory
- https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kywIssue TrackingMailing ListVendor Advisory
- https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8Issue TrackingMailing ListVendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/10/msg00024.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2022-34169?
CVE-2022-34169 is a vulnerability with a CVSS score of 7.5 (HIGH). The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC...
How severe is CVE-2022-34169?
CVE-2022-34169 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-34169?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Xalan-Java, Debian Debian Linux, Oracle Graalvm, Oracle Jdk, Oracle Jre.