CVE-2022-23437

Summary

CVE	CVE-2022-23437
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-01-24 15:15:00 UTC
Updated	2023-08-08 14:22:00 UTC
Description	There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Risk And Classification

Problem Types: CWE-835

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Xerces-j	All	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Oracle	Agile Engineering Data Management	6.2.1.0	All	All	All
Application	Oracle	Agile Plm	9.3.6	All	All	All
Application	Oracle	Banking Deposits And Lines Of Credit Servicing	2.7	All	All	All
Application	Oracle	Banking Party Management	2.7.0	All	All	All
Application	Oracle	Communications Asap	7.3	All	All	All
Application	Oracle	Communications Element Manager	All	All	All	All
Application	Oracle	Communications Session Report Manager	All	All	All	All
Application	Oracle	Communications Session Route Manager	All	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	All	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	All	All	All	All
Application	Oracle	Financial Services Behavior Detection Platform	8.1.1.0	All	All	All
Application	Oracle	Financial Services Behavior Detection Platform	8.1.1.1	All	All	All
Application	Oracle	Financial Services Behavior Detection Platform	8.1.2.0	All	All	All
Application	Oracle	Financial Services Behavior Detection Platform	All	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.2.0	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.3.0	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.0.7.1	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.0.7.2.0	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.0.8.0	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.0.8.1	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.1.1.0	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.1.1.1	All	All	All
Application	Oracle	Flexcube Universal Banking	12.4.0	All	All	All
Application	Oracle	Global Lifecycle Management Nextgen Oui Framework	All	All	All	All
Application	Oracle	Global Lifecycle Management Nextgen Oui Framework	13.9.4.2.2	All	All	All
Application	Oracle	Global Lifecycle Management Opatch	All	All	All	All
Application	Oracle	Health Sciences Information Manager	3.0.0.1	All	All	All
Application	Oracle	Health Sciences Information Manager	All	All	All	All
Application	Oracle	Ilearning	6.2	All	All	All
Application	Oracle	Ilearning	6.3	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Product Lifecycle Analytics	3.6.1	All	All	All
Application	Oracle	Retail Bulk Data Integration	16.0.3.0	All	All	All
Application	Oracle	Retail Extract Transform And Load	13.2.8	All	All	All
Application	Oracle	Retail Financial Integration	14.1.3.2	All	All	All
Application	Oracle	Retail Financial Integration	15.0.3.1	All	All	All
Application	Oracle	Retail Financial Integration	16.0.3	All	All	All
Application	Oracle	Retail Financial Integration	19.0.1	All	All	All
Application	Oracle	Retail Integration Bus	14.1.3.2	All	All	All
Application	Oracle	Retail Integration Bus	15.0.3.1	All	All	All
Application	Oracle	Retail Integration Bus	16.0.3	All	All	All
Application	Oracle	Retail Integration Bus	19.0.1	All	All	All
Application	Oracle	Retail Merchandising System	16.0.3	All	All	All
Application	Oracle	Retail Merchandising System	19.0.1	All	All	All
Application	Oracle	Retail Service Backbone	14.1.3.2	All	All	All
Application	Oracle	Retail Service Backbone	15.0.3.1	All	All	All
Application	Oracle	Retail Service Backbone	16.0.3	All	All	All
Application	Oracle	Retail Service Backbone	19.0.1	All	All	All
Application	Oracle	Weblogic Server	12.2.1.3.0	All	All	All
Application	Oracle	Weblogic Server	12.2.1.4.0	All	All	All
Application	Oracle	Weblogic Server	14.1.1.0.0	All	All	All

References

Reference	Source	Link	Tags
N/A	CONFIRM	lists.apache.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
oss-security - CVE-2022-23437: Infinite loop within Apache XercesJ xml parser	MLIST	www.openwall.com
CVE-2022-23437 Apache XercesJ Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon Corretto/JDK Team

Legacy QID Mappings

150538 Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2022)
150588 Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2022)
240458 Red Hat Update for JBoss Enterprise Application Platform 7.4.5 on RHEL 7 (RHSA-2022:4918)
240459 Red Hat Update for JBoss Enterprise Application Platform 7.4.5 on RHEL 8 (RHSA-2022:4919)
671576 EulerOS Security Update for xerces-j2 (EulerOS-SA-2022-1555)
671600 EulerOS Security Update for xerces-j2 (EulerOS-SA-2022-1592)
671719 EulerOS Security Update for xerces-j2 (EulerOS-SA-2022-1772)
751728 SUSE Enterprise Linux Security Update for xerces-j2 (SUSE-SU-2022:0500-1)
751729 SUSE Enterprise Linux Security Update for xerces-j2 (SUSE-SU-2022:0503-1)
751734 SUSE Enterprise Linux Security Update for xerces-j2 (SUSE-SU-2022:0542-1)
751745 OpenSUSE Security Update for xerces-j2 (openSUSE-SU-2022:0503-1)
751746 OpenSUSE Security Update for xerces-j2 (openSUSE-SU-2022:0500-1)
753451 SUSE Enterprise Linux Security Update for xerces-j2 (SUSE-SU-2022:14889-1)
87489 Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2022)
87524 Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2022)