CVE-2022-23437 - Vulnerability Details

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:M/Au:N/C:N/I:N/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Xerces-j
Netapp	Active Iq Unified Manager
Oracle	Agile Engineering Data Management Agile Plm Banking Deposits And Lines Of Credit Servicing Banking Party Management Communications Asap Communications Element Manager Communications Session Report Manager Communications Session Route Manager Financial Services Analytical Applications Infrastructure Financial Services Behavior Detection Platform Financial Services Crime And Compliance Management Studio Financial Services Enterprise Case Management Flexcube Universal Banking Global Lifecycle Management Nextgen Oui Framework Global Lifecycle Management Opatch Health Sciences Information Manager Ilearning Peoplesoft Enterprise Peopletools Primavera Gateway Product Lifecycle Analytics Retail Bulk Data Integration Retail Extract Transform And Load Retail Financial Integration Retail Integration Bus Retail Merchandising System Retail Service Backbone Weblogic Server
Redhat	Jboss Enterprise Application Platform Jboss Enterprise Bpms Platform

Configuration 1 [-]

cpe:2.3:a:apache:xerces-j:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
	cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:::::::*
	cpe:2.3:a:oracle:banking_party_management:2.7.0:::::::*
	cpe:2.3:a:oracle:communications_asap:7.3:::::::*
	cpe:2.3:a:oracle:communications_element_manager::::::::
	cpe:2.3:a:oracle:communications_session_report_manager::::::::
	cpe:2.3:a:oracle:communications_session_route_manager::::::::
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform::::::::
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:::::::*
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:::::::*
	cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2.0:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:::::::*
	cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:::::::*
	cpe:2.3:a:oracle:flexcube_universal_banking:12.4.0:::::::*
	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework::::::::
	cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:::::::*
	cpe:2.3:a:oracle:global_lifecycle_management_opatch::::::::
	cpe:2.3:a:oracle:health_sciences_information_manager::::::::
	cpe:2.3:a:oracle:health_sciences_information_manager:3.0.0.1:::::::*
	cpe:2.3:a:oracle:ilearning:6.2:::::::*
	cpe:2.3:a:oracle:ilearning:6.3:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:::::::*
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:::::::*
	cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:16.0.3:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:19.0.1:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:16.0.3:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:19.0.1:::::::*
	cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:::::::*
	cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:::::::*
	cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:::::::*
	cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:::::::*
	cpe:2.3:a:oracle:retail_service_backbone:16.0.3:::::::*
	cpe:2.3:a:oracle:retail_service_backbone:19.0.1:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

Configuration 3 [-]

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*

Package	CPE	Advisory	Released Date
Red Hat JBoss Enterprise Application Platform 7
xerces-j2	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2022:4922	2022-06-06T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-xerces-j2-0:2.12.0-3.SP04_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2022:4919	2022-06-06T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-xerces-j2-0:2.12.0-3.SP04_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2022:4918	2022-06-06T00:00:00Z
RHPAM 7.13.1 async
xercesimpl	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2022:6813	2022-10-05T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/01/24/3
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
https://nvd.nist.gov/vuln/detail/CVE-2022-23437
https://security.netapp.com/advisory/ntap-20221028-0005/
https://www.cve.org/CVERecord?id=CVE-2022-23437
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-01-24T00:00:00

Updated: 2024-08-03T03:43:45.690Z

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23437

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-24T15:15:09.317

Modified: 2024-11-21T06:48:33.283

Link: CVE-2022-23437

Redhat

Severity : Moderate

Publid Date: 2022-01-24T00:00:00Z

Links: CVE-2022-23437 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-23437", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-03T03:43:45.690Z", "dateReserved": "2022-01-19T00:00:00", "datePublished": "2022-01-24T00:00:00"}, "containers": {"cna": {"title": "Infinite loop within Apache XercesJ xml parser", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-10-28T00:00:00"}, "descriptions": [{"lang": "en", "value": "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Xerces", "versions": [{"version": "Apache XercesJ", "status": "affected", "lessThanOrEqual": "2.12.1", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl"}, {"name": "[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"url": "https://security.netapp.com/advisory/ntap-20221028-0005/"}], "credits": [{"lang": "en", "value": "This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon Corretto/JDK Team"}], "metrics": [{"other": {"type": "unknown", "content": {"other": "high"}}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Infinite loop within Apache XercesJ xml parser"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}, "workarounds": [{"lang": "en", "value": "Apache XercesJ users, should migrate to version 2.12.2"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:45.690Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl", "tags": ["x_transferred"]}, {"name": "[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20221028-0005/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:xerces-j:*:*:*:*:*:*:*:*", "matchCriteriaId": "35BFF235-489B-4262-94F4-061317ED4EAE", "versionEndIncluding": "2.12.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:*:*:*:*:*:*:*", "matchCriteriaId": "ED63D221-31FA-480F-802F-844334F429F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "C542DC5E-6657-4178-9C69-46FD3C187D56", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_asap:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "3141B86F-838D-491A-A8ED-3B7C54EA89C1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "02712DD6-D944-4452-8015-000B9851D257", "versionEndExcluding": "9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "274BCA96-2E6A-4B77-B69E-E2093A668D28", "versionEndExcluding": "9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D4B738B-08CF-44F6-A939-39F5BEAF03B2", "versionEndExcluding": "9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4A07A20-CDE7-40A8-B24A-D4181C4398A0", "versionEndIncluding": "8.0.9.0", "versionStartIncluding": "8.0.6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "83DEEFFB-058D-4ABD-9083-AF70772D7010", "versionEndExcluding": "8.1.2.0", "versionStartIncluding": "8.1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "147A4225-A2D5-4AA1-96D1-6D95A192B596", "versionEndIncluding": "8.0.8.0", "versionStartIncluding": "8.0.6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4B3A10E-70A8-4332-8567-06AE2C45D3C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "059F0D4E-B007-4986-AB95-89F11147CB2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6CAC78AD-86BB-4F06-B8CF-8E1329987F2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "55F091C7-0869-4FD6-AC73-DA697D990304", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "4D134C60-F9E2-46C2-8466-DB90AD98439E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "C64D669C-513E-4C53-8BB8-13EB336CDC3A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "18E7AC20-F70C-4A92-817D-94CE9FB3EB0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F6394E90-2F2C-4955-9F97-BFED76D4333B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "5B5DC0C1-789B-4126-8C6D-DEDE83AA2D2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "44563108-AD89-49A0-9FA5-7DE5A5601D2C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "FCA5DC3F-E7D8-45E3-8114-2213EC631CDF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_universal_banking:12.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "F3D55FB5-8ED8-4797-B5BC-545477AF7347", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE85204F-614D-4EF1-ABEB-B3CD381C2CB0", "versionEndExcluding": "13.9.4.2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "5A6FFB5C-EB44-499F-BE81-24ED2B1F201A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F0728F8-14D0-4282-9CA7-EFCD68EE77AF", "versionEndExcluding": "12.2.0.1.30", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:health_sciences_information_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "D450B848-371E-4401-9DB0-27AF31B5D5EA", "versionEndIncluding": "3.0.5", "versionStartIncluding": "3.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "4BE4F581-7DEF-4417-A55D-561BDAC5CA7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:ilearning:6.2:*:*:*:*:*:*:*", "matchCriteriaId": "D361A9A8-15B0-4527-868B-80998772F2AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:ilearning:6.3:*:*:*:*:*:*:*", "matchCriteriaId": "4A667A37-59EB-4539-ADCA-D5F789DB6744", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6300315-7816-4F4E-A1C3-99EF5984B94A", "versionEndIncluding": "17.12.11", "versionStartIncluding": "17.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "F04DF183-EBCB-456E-90F9-A8500E6E32B7", "versionEndIncluding": "18.8.14", "versionStartIncluding": "18.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D30B0D1-4466-4601-8822-CE8ADBB381FB", "versionEndIncluding": "19.12.13", "versionStartIncluding": "19.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E362FE6-A387-4DFB-ADD7-FB4BAE9DE7CB", "versionEndIncluding": "20.12.8", "versionStartIncluding": "20.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "7F978162-CB2C-4166-947A-9048C6E878BC", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "360B307A-3D7F-4B38-8248-76CF8318B023", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "31FFE404-027E-4B59-B3EF-BD20E1F7EECC", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "798E4FEE-9B2B-436E-A2B3-B8AA1079892A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "CB86F6C3-981E-4ECA-A5EB-9A9CD73D70C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "6B042849-7EF5-4A5F-B6CD-712C0B8735BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "7435071D-0C95-4686-A978-AFC4C9A0D0FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "8CFCE558-9972-46A2-8539-C16044F1BAA9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "A1194C4E-CF42-4B4D-BA9A-40FDD28F1D58", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "822A3C37-86F2-4E91-BE91-2A859F983941", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "BD311C33-A309-44D5-BBFB-539D72C7F8C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "F8383028-B719-41FD-9B6A-71F8EB4C5F8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "AE1BC44A-F0AF-41CD-9CEB-B07AB5ADAB38", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "E702EBED-DB39-4084-84B1-258BC5FE7545", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "3F7956BF-D5B6-484B-999C-36B45CD8B75B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "DEE71EA5-B315-4F1E-BFEE-EC426B562F7E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "9DA6B655-A445-42E5-B6D9-70AB1C04774A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions."}, {"lang": "es", "value": "Se presenta una vulnerabilidad en el analizador XML de Apache Xerces Java (XercesJ) cuando maneja cargas \u00fatiles de documentos XML especialmente dise\u00f1ados. Esto causa que el analizador XML de XercesJ espere en un bucle infinito, lo que a veces puede consumir recursos del sistema durante un tiempo prolongado. Esta vulnerabilidad est\u00e1 presente en XercesJ versi\u00f3n 2.12.1, y en versiones anteriores"}], "id": "CVE-2022-23437", "lastModified": "2024-11-21T06:48:33.283", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-24T15:15:09.317", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221028-0005/"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221028-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Upstream acknowledges Sergey Temnikov (Amazon Corretto) and Ziyi Luo (Amazon Corretto) as the original reporters.", "affected_release": [{"advisory": "RHSA-2022:4922", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "xerces-j2", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:4919", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-xerces-j2-0:2.12.0-3.SP04_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:4918", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-xerces-j2-0:2.12.0-3.SP04_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:6813", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "xercesimpl", "product_name": "RHPAM 7.13.1 async", "release_date": "2022-10-05T00:00:00Z"}], "bugzilla": {"description": "xerces-j2: infinite loop when handling specially crafted XML document payloads", "id": "2047200", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2047200"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-835", "details": ["There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.", "A flaw was found in the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This issue causes the XercesJ XML parser to wait in an infinite loop, which may consume system resources for a prolonged duration, leading to a denial of service condition."], "name": "CVE-2022-23437", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "xerces-j2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "xerces-j2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "pki-deps:10.6/xerces-j2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "xerces-j2", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "xerces-j2-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Not affected", "package_name": "xerces-j2", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-maven36-xerces-j2", "product_name": "Red Hat Software Collections"}], "public_date": "2022-01-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-23437\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23437"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object