CVE-2022-23437 XJ parser is vulnerable to specially crafted payloads.

This vulnerability may affect various software products, like web browsers, email clients, and various other applications that consume XML and/or XML-based data. It may be exploited to cause a denial-of-service condition.

As a precaution, you may want to upgrade your XercesJ software to the latest version. Alternatively, you may choose to disable the parsing of specially crafted XML documents. The best course of action is to apply the appropriate updates.

Vulnerability overview

A vulnerability has been found in XercesJ software that may cause a denial-of-service condition. This vulnerability may affect various software products, like web browsers, email clients, and various other applications that consume XML and/or XML-based data. The vulnerability allows an attacker to crash the system or execute malicious code by triggering a buffer overflow in the parsing of specially crafted XML documents.
This vulnerability is related to CVE-2022-23437

Vulnerability Scenario

The vulnerability may be exploited to cause a denial-of-service condition. It may also be exploited by an attacker to access information or transfer files from the computer. As a precaution, you may want to upgrade your XercesJ software to the latest version. Alternatively, you may choose to disable the parsing of specially crafted XML documents. The best course of action is to apply the appropriate updates.

Vulnerable software: XercesJ

XercesJ is an open source software project that parses and validates XML documents. This vulnerability may affect various software products, like web browsers, email clients, and various other applications that consume XML and/or XML-based data. It may be exploited to cause a denial-of-service condition.
As a precaution, you may want to upgrade your XercesJ software to the latest version. Alternatively, you may choose to disable the parsing of specially crafted XML documents. The best course of action is to apply the appropriate updates.

References

1. https://www.safer-networking.org/en/advisories/view/CVE-2022-23437
2. https://blog.xerces.org/?p=1817

Timeline

Published on: 01/24/2022 15:15:00 UTC
Last modified on: 07/25/2022 18:21:00 UTC

References

• https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
• http://www.openwall.com/lists/oss-security/2022/01/24/3
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23437