Vulnerability Details CVE-2022-34169
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.108
EPSS Ranking 93.0%
CVSS Severity
CVSS v3 Score 7.5
References
- http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
- http://www.openwall.com/lists/oss-security/2022/07/19/5
- http://www.openwall.com/lists/oss-security/2022/07/19/6
- http://www.openwall.com/lists/oss-security/2022/07/20/2
- http://www.openwall.com/lists/oss-security/2022/07/20/3
- http://www.openwall.com/lists/oss-security/2022/10/18/2
- http://www.openwall.com/lists/oss-security/2022/11/04/8
- http://www.openwall.com/lists/oss-security/2022/11/07/2
- https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
- https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
- https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/
- https://security.gentoo.org/glsa/202401-25
- https://security.netapp.com/advisory/ntap-20220729-0009/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.debian.org/security/2022/dsa-5188
- https://www.debian.org/security/2022/dsa-5192
- https://www.debian.org/security/2022/dsa-5256
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
- http://www.openwall.com/lists/oss-security/2022/07/19/5
- http://www.openwall.com/lists/oss-security/2022/07/19/6
- http://www.openwall.com/lists/oss-security/2022/07/20/2
- http://www.openwall.com/lists/oss-security/2022/07/20/3
- http://www.openwall.com/lists/oss-security/2022/10/18/2
- http://www.openwall.com/lists/oss-security/2022/11/04/8
- http://www.openwall.com/lists/oss-security/2022/11/07/2
- https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
- https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
- https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/
- https://security.gentoo.org/glsa/202401-25
- https://security.netapp.com/advisory/ntap-20220729-0009/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.debian.org/security/2022/dsa-5188
- https://www.debian.org/security/2022/dsa-5192
- https://www.debian.org/security/2022/dsa-5256
- https://www.oracle.com/security-alerts/cpujul2022.html
Products affected by CVE-2022-34169
-
cpe:2.3:a:apache:xalan-java:1.0.0
-
cpe:2.3:a:apache:xalan-java:2.0.0
-
cpe:2.3:a:apache:xalan-java:2.0.1
-
cpe:2.3:a:apache:xalan-java:2.1.0
-
cpe:2.3:a:apache:xalan-java:2.2.0
-
cpe:2.3:a:apache:xalan-java:2.4.0
-
cpe:2.3:a:apache:xalan-java:2.4.1
-
cpe:2.3:a:apache:xalan-java:2.5.0
-
cpe:2.3:a:apache:xalan-java:2.5.1
-
cpe:2.3:a:apache:xalan-java:2.5.2
-
cpe:2.3:a:apache:xalan-java:2.6.0
-
cpe:2.3:a:apache:xalan-java:2.7.0
-
cpe:2.3:a:apache:xalan-java:2.7.1
-
cpe:2.3:a:apache:xalan-java:2.7.2
-
cpe:2.3:a:azul:zulu:11.56
-
cpe:2.3:a:azul:zulu:13.48
-
cpe:2.3:a:azul:zulu:15.40
-
cpe:2.3:a:azul:zulu:17.34
-
cpe:2.3:a:azul:zulu:18.30
-
cpe:2.3:a:azul:zulu:6.47
-
cpe:2.3:a:azul:zulu:7.54
-
cpe:2.3:a:azul:zulu:8.62
-
cpe:2.3:a:netapp:7-mode_transition_tool:-
-
cpe:2.3:a:netapp:active_iq_unified_manager:-
-
cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-
-
cpe:2.3:a:netapp:cloud_secure_agent:-
-
cpe:2.3:a:netapp:hci_management_node:-
-
cpe:2.3:a:netapp:oncommand_insight:-
-
cpe:2.3:a:netapp:solidfire:-
-
cpe:2.3:a:oracle:graalvm:20.3.6
-
cpe:2.3:a:oracle:graalvm:21.3.2
-
cpe:2.3:a:oracle:graalvm:22.1.0
-
cpe:2.3:a:oracle:jdk:1.7.0
-
cpe:2.3:a:oracle:jdk:1.8.0
-
cpe:2.3:a:oracle:jdk:11.0.15.1
-
cpe:2.3:a:oracle:jdk:17.0.3.1
-
cpe:2.3:a:oracle:jdk:18.0.1.1
-
cpe:2.3:a:oracle:jre:1.7.0
-
cpe:2.3:a:oracle:jre:1.8.0
-
cpe:2.3:a:oracle:jre:11.0.15.1
-
cpe:2.3:a:oracle:jre:17.0.3.1
-
cpe:2.3:a:oracle:jre:18.0.1.1
-
cpe:2.3:a:oracle:openjdk:11
-
cpe:2.3:a:oracle:openjdk:11.0.1
-
cpe:2.3:a:oracle:openjdk:11.0.10
-
cpe:2.3:a:oracle:openjdk:11.0.11
-
cpe:2.3:a:oracle:openjdk:11.0.12
-
cpe:2.3:a:oracle:openjdk:11.0.13
-
cpe:2.3:a:oracle:openjdk:11.0.14
-
cpe:2.3:a:oracle:openjdk:11.0.2
-
cpe:2.3:a:oracle:openjdk:11.0.3
-
cpe:2.3:a:oracle:openjdk:11.0.4
-
cpe:2.3:a:oracle:openjdk:11.0.5
-
cpe:2.3:a:oracle:openjdk:11.0.6
-
cpe:2.3:a:oracle:openjdk:11.0.7
-
cpe:2.3:a:oracle:openjdk:11.0.8
-
cpe:2.3:a:oracle:openjdk:11.0.9
-
cpe:2.3:a:oracle:openjdk:13
-
cpe:2.3:a:oracle:openjdk:13.0.1
-
cpe:2.3:a:oracle:openjdk:13.0.10
-
cpe:2.3:a:oracle:openjdk:13.0.2
-
cpe:2.3:a:oracle:openjdk:13.0.3
-
cpe:2.3:a:oracle:openjdk:13.0.4
-
cpe:2.3:a:oracle:openjdk:13.0.5
-
cpe:2.3:a:oracle:openjdk:13.0.6
-
cpe:2.3:a:oracle:openjdk:13.0.7
-
cpe:2.3:a:oracle:openjdk:13.0.8
-
cpe:2.3:a:oracle:openjdk:15
-
cpe:2.3:a:oracle:openjdk:15.0.1
-
cpe:2.3:a:oracle:openjdk:15.0.2
-
cpe:2.3:a:oracle:openjdk:15.0.3
-
cpe:2.3:a:oracle:openjdk:15.0.4
-
cpe:2.3:a:oracle:openjdk:15.0.6
-
cpe:2.3:a:oracle:openjdk:17
-
cpe:2.3:a:oracle:openjdk:17.0.1
-
cpe:2.3:a:oracle:openjdk:17.0.2
-
cpe:2.3:a:oracle:openjdk:18
-
cpe:2.3:a:oracle:openjdk:7
-
cpe:2.3:a:oracle:openjdk:8
-
cpe:2.3:h:netapp:hci_compute_node:-
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:11.0
-
cpe:2.3:o:fedoraproject:fedora:35
-
cpe:2.3:o:fedoraproject:fedora:36