Moderate severityNVD Advisory· Published Jan 24, 2022· Updated Aug 3, 2024
Infinite loop within Apache XercesJ xml parser
CVE-2022-23437
Description
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xerces:xercesImplMaven | < 2.12.2 | 2.12.2 |
Affected products
43- ghsa-coords42 versionspkg:maven/xerces/xercesImplpkg:rpm/opensuse/ruby3.2-rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/xerces-j2&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/xerces-j2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/xerces-j2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/xerces-j2&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/xerces-j2&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/xerces-j2&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/xerces-j2&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/xerces-j2&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/xerces-j2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/xerces-j2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/xerces-j2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/xerces-j2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2.12.2+ 41 more
- (no CPE)range: < 2.12.2
- (no CPE)range: < 1.13.9-1.7
- (no CPE)range: < 1.13.4-1.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.2-1.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.8.1-238.29.8.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.8.1-238.29.8.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- Apache Software Foundation/Apache Xercesv5Range: Apache XercesJ
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-h65f-jvqw-m9fjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23437ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/24/3ghsamailing-listWEB
- lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dlghsaWEB
- security.netapp.com/advisory/ntap-20221028-0005ghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
- security.netapp.com/advisory/ntap-20221028-0005/mitre
News mentions
0No linked articles in our index yet.