Уязвимость CVE-2022-34169: Информация

Описание

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Важность: HIGH (7,5) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-34169

Опубликовано: 19 июля 2022 г.

Изменено: 17 января 2024 г.

Идентификатор типа ошибки: CWE-681

Ссылки на рекомендации, решения и инструменты

Ссылка	Ресурс
https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw	Issue Tracking Mailing List Vendor Advisory
https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8	Issue Tracking Mailing List Vendor Advisory
[oss-security] 20220719 CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets	Mailing List Third Party Advisory
[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets	Mailing List Third Party Advisory
[oss-security] 20220720 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets	Mailing List Patch Third Party Advisory
[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets	Mailing List Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
DSA-5188	Third Party Advisory
DSA-5192	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220729-0009/	Third Party Advisory
http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html	Third Party Advisory VDB Entry
[oss-security] 20221017 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets	Mailing List Patch Third Party Advisory
[debian-lts-announce] 20221018 [SECURITY] [DLA 3155-1] bcel security update	Mailing List Third Party Advisory
DSA-5256	Third Party Advisory
[oss-security] 20221104 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing	Mailing List Third Party Advisory
[oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
https://security.gentoo.org/glsa/202401-25

Подверженные конфигурации:
1. Конфигурация 1
  cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:*
  End including
  2.7.2
  
  Конфигурация 2
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
  
  Конфигурация 3
  cpe:2.3:a:oracle:jre:17.0.3.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jre:18.0.1.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jre:11.0.15.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jre:1.8.0:update333:*:*:*:*:*:*
  cpe:2.3:a:oracle:jre:1.7.0:update343:*:*:*:*:*:*
  cpe:2.3:a:oracle:jdk:17.0.3.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jdk:18.0.1.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jdk:11.0.15.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jdk:1.8.0:update333:*:*:*:*:*:*
  cpe:2.3:a:oracle:jdk:1.7.0:update343:*:*:*:*:*:*
  cpe:2.3:a:oracle:graalvm:20.3.6:*:*:*:enterprise:*:*:*
  cpe:2.3:a:oracle:graalvm:21.3.2:*:*:*:enterprise:*:*:*
  cpe:2.3:a:oracle:graalvm:22.1.0:*:*:*:enterprise:*:*:*
  
  Конфигурация 4
  cpe:2.3:a:oracle:openjdk:8:-:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update102:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update112:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update152:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update162:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update172:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update192:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update20:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update202:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update212:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update222:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update232:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update40:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update60:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update66:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update72:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update92:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update241:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update80:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update85:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:-:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update241:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update65:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update71:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update73:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update74:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update77:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update91:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update101:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update111:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update121:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update131:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update141:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update151:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update161:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update171:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update181:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update191:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update201:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update211:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update45:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update51:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update25:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update31:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update5:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update11:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update221:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update231:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update251:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update231:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update221:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update211:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update201:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update191:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update181:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update171:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update161:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update151:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update141:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update131:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update121:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update111:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update101:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update99:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update97:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update95:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update91:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update76:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update72:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update67:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update65:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update60:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update55:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update51:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update45:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update40:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update25:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update21:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update17:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update15:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update13:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update11:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update10:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update9:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update7:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update6:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update5:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update4:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update3:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update2:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update1:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update271:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update281:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:milestone1:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:milestone2:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update282:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:milestone3:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:milestone4:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:milestone5:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:milestone6:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:milestone7:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:milestone8:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:milestone9:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update271:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update281:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update291:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update242:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update252:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update262:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update261:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update291:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update301:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update301:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update311:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:7:update321:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update312:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update302:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:8:update322:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:18:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*
  Start including
  11
  End including
  11.0.15
  cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*
  Start including
  15
  End including
  15.0.7
  cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*
  Start including
  17
  End including
  17.0.3
  cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*
  Start including
  13
  End including
  13.0.11
  cpe:2.3:a:oracle:openjdk:8:update332:*:*:*:*:*:*
  
  Конфигурация 5
  cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
  
  Конфигурация 6
  cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
  cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
  cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
  cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
  cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*
  cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
  cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*
  cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*
  
  Конфигурация 7
  cpe:2.3:a:azul:zulu:17.34:*:*:*:*:*:*:*
  cpe:2.3:a:azul:zulu:6.47:*:*:*:*:*:*:*
  cpe:2.3:a:azul:zulu:7.54:*:*:*:*:*:*:*
  cpe:2.3:a:azul:zulu:8.62:*:*:*:*:*:*:*
  cpe:2.3:a:azul:zulu:11.56:*:*:*:*:*:*:*
  cpe:2.3:a:azul:zulu:13.48:*:*:*:*:*:*:*
  cpe:2.3:a:azul:zulu:15.40:*:*:*:*:*:*:*
  cpe:2.3:a:azul:zulu:18.30:*:*:*:*:*:*:*

Версия: v24.5.1

Наверх

Уязвимость CVE-2022-34169: Информация

Описание

Ссылки на рекомендации, решения и инструменты

Конфигурация 1

Конфигурация 2

Конфигурация 3

Конфигурация 4

Конфигурация 5

Конфигурация 6

Конфигурация 7