CVE-2022-34169

Name
CVE-2022-34169
Description
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
MISC https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
MLIST http://www.openwall.com/lists/oss-security/2022/07/19/5
MLIST http://www.openwall.com/lists/oss-security/2022/07/19/6
MLIST http://www.openwall.com/lists/oss-security/2022/07/20/3
MLIST http://www.openwall.com/lists/oss-security/2022/07/20/2
MISC https://www.oracle.com/security-alerts/cpujul2022.html
DEBIAN https://www.debian.org/security/2022/dsa-5188
DEBIAN https://www.debian.org/security/2022/dsa-5192
Third Party Advisory https://security.netapp.com/advisory/ntap-20220729-0009/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/
Third Party Advisory http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/
MLIST http://www.openwall.com/lists/oss-security/2022/10/18/2
MLIST https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html
DEBIAN https://www.debian.org/security/2022/dsa-5256
MLIST http://www.openwall.com/lists/oss-security/2022/11/04/8
MLIST http://www.openwall.com/lists/oss-security/2022/11/07/2

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:* xalan-java >= None <= 2.7.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openjdk15 3.16-community 15.0.8_p4-r0 Simon Frankenberger <simon-alpine@fraho.eu> fixed
openjdk13 3.16-community 13.0.12_p4-r0 Simon Frankenberger <simon-alpine@fraho.eu> fixed
openjdk8 3.16-community 8.345.01-r0 Timo Teras <timo.teras@iki.fi> fixed