CVE-2022-23437

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Infinite Loop
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
VendorProductVersion
apachexerces-j
𝑥
≤ 2.12.1
oracleagile_engineering_data_management
6.2.1.0
oracleagile_plm
9.3.6
oraclebanking_deposits_and_lines_of_credit_servicing
2.7
oraclebanking_party_management
2.7.0
oraclecommunications_asap
7.3
oraclecommunications_element_manager
𝑥
< 9.0
oraclecommunications_session_report_manager
𝑥
< 9.0
oraclecommunications_session_route_manager
𝑥
< 9.0
oraclefinancial_services_analytical_applications_infrastructure
8.0.6.0.0 ≤
𝑥
≤ 8.0.9.0
oraclefinancial_services_analytical_applications_infrastructure
8.1.0.0 ≤
𝑥
< 8.1.2.0
oraclefinancial_services_behavior_detection_platform
8.0.6.0.0 ≤
𝑥
≤ 8.0.8.0
oraclefinancial_services_behavior_detection_platform
8.1.1.0
oraclefinancial_services_behavior_detection_platform
8.1.1.1
oraclefinancial_services_behavior_detection_platform
8.1.2.0
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.2.0
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.3.0
oraclefinancial_services_enterprise_case_management
8.0.7.1
oraclefinancial_services_enterprise_case_management
8.0.7.2.0
oraclefinancial_services_enterprise_case_management
8.0.8.0
oraclefinancial_services_enterprise_case_management
8.0.8.1
oraclefinancial_services_enterprise_case_management
8.1.1.0
oraclefinancial_services_enterprise_case_management
8.1.1.1
oracleflexcube_universal_banking
12.4.0
oracleglobal_lifecycle_management_nextgen_oui_framework
𝑥
< 13.9.4.2.2
oracleglobal_lifecycle_management_nextgen_oui_framework
13.9.4.2.2
oracleglobal_lifecycle_management_opatch
𝑥
< 12.2.0.1.30
oraclehealth_sciences_information_manager
3.0.1 ≤
𝑥
≤ 3.0.5
oraclehealth_sciences_information_manager
3.0.0.1
oracleilearning
6.2
oracleilearning
6.3
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepeoplesoft_enterprise_peopletools
8.59
oracleprimavera_gateway
17.7 ≤
𝑥
≤ 17.12.11
oracleprimavera_gateway
18.8.0 ≤
𝑥
≤ 18.8.14
oracleprimavera_gateway
19.12.0 ≤
𝑥
≤ 19.12.13
oracleprimavera_gateway
20.12.0 ≤
𝑥
≤ 20.12.8
oracleproduct_lifecycle_analytics
3.6.1
oracleretail_bulk_data_integration
16.0.3.0
oracleretail_extract_transform_and_load
13.2.8
oracleretail_financial_integration
14.1.3.2
oracleretail_financial_integration
15.0.3.1
oracleretail_financial_integration
16.0.3
oracleretail_financial_integration
19.0.1
oracleretail_integration_bus
14.1.3.2
oracleretail_integration_bus
15.0.3.1
oracleretail_integration_bus
16.0.3
oracleretail_integration_bus
19.0.1
oracleretail_merchandising_system
16.0.3
oracleretail_merchandising_system
19.0.1
oracleretail_service_backbone
14.1.3.2
oracleretail_service_backbone
15.0.3.1
oracleretail_service_backbone
16.0.3
oracleretail_service_backbone
19.0.1
oracleweblogic_server
12.2.1.3.0
oracleweblogic_server
12.2.1.4.0
oracleweblogic_server
14.1.1.0.0
netappactive_iq_unified_manager
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxerces2-java
bullseye
postponed
bookworm
postponed
buster
postponed
stretch
postponed
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libxerces2-java
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2022/01/24/3
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
https://security.netapp.com/advisory/ntap-20221028-0005/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
http://www.openwall.com/lists/oss-security/2022/01/24/3
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
https://security.netapp.com/advisory/ntap-20221028-0005/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html