CVE-2022-23437
MEDIUMCVSS 6.5/10EPSS 4.44%
Last modified
CVE-2022-23437 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. EPSS estimates a 4.44% chance of exploitation in the next 30 days.
Description
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Xerces-J | <= 2.12.1 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Banking Deposits And Lines Of Credit Servicing | 2.7 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Communications Asap | 7.3 |
| Oracle | Communications Element Manager | < 9.0 |
| Oracle | Communications Session Report Manager | < 9.0 |
| Oracle | Communications Session Route Manager | < 9.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6.0.0, <= 8.0.9.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.1.0.0, < 8.1.2.0 |
| Oracle | Financial Services Behavior Detection Platform | >= 8.0.6.0.0, <= 8.0.8.0 |
| Oracle | Financial Services Behavior Detection Platform | 8.1.1.0 |
| Oracle | Financial Services Behavior Detection Platform | 8.1.1.1 |
| Oracle | Financial Services Behavior Detection Platform | 8.1.2.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.3.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.7.1 |
| Oracle | Financial Services Enterprise Case Management | 8.0.7.2.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.8.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.8.1 |
| Oracle | Financial Services Enterprise Case Management | 8.1.1.0 |
| Oracle | Financial Services Enterprise Case Management | 8.1.1.1 |
| Oracle | Flexcube Universal Banking | 12.4.0 |
| Oracle | Global Lifecycle Management Nextgen Oui Framework | < 13.9.4.2.2 |
| Oracle | Global Lifecycle Management Nextgen Oui Framework | 13.9.4.2.2 |
| Oracle | Global Lifecycle Management Opatch | < 12.2.0.1.30 |
| Oracle | Health Sciences Information Manager | >= 3.0.1, <= 3.0.5 |
| Oracle | Health Sciences Information Manager | 3.0.0.1 |
| Oracle | Ilearning | 6.2 |
| Oracle | Ilearning | 6.3 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Oracle | Primavera Gateway | >= 17.7, <= 17.12.11 |
| Oracle | Primavera Gateway | >= 18.8.0, <= 18.8.14 |
| Oracle | Primavera Gateway | >= 19.12.0, <= 19.12.13 |
| Oracle | Primavera Gateway | >= 20.12.0, <= 20.12.8 |
| Oracle | Product Lifecycle Analytics | 3.6.1 |
| Oracle | Retail Bulk Data Integration | 16.0.3.0 |
| Oracle | Retail Extract Transform And Load | 13.2.8 |
| Oracle | Retail Financial Integration | 14.1.3.2 |
| Oracle | Retail Financial Integration | 15.0.3.1 |
| Oracle | Retail Financial Integration | 16.0.3 |
| Oracle | Retail Financial Integration | 19.0.1 |
| Oracle | Retail Integration Bus | 14.1.3.2 |
| Oracle | Retail Integration Bus | 15.0.3.1 |
| Oracle | Retail Integration Bus | 16.0.3 |
| Oracle | Retail Integration Bus | 19.0.1 |
| Oracle | Retail Merchandising System | 16.0.3 |
| Oracle | Retail Merchandising System | 19.0.1 |
Showing 50 of 58 affected configurations. See NVD for the full list.
References
- http://www.openwall.com/lists/oss-security/2022/01/24/3Mailing List, Third Party Advisory
- https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dlMailing List, Vendor Advisory
- https://security.netapp.com/advisory/ntap-20221028-0005/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2022/01/24/3Mailing List, Third Party Advisory
- https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dlMailing List, Vendor Advisory
- https://security.netapp.com/advisory/ntap-20221028-0005/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-23437?
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
How severe is CVE-2022-23437?
CVE-2022-23437 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 4.44% probability of exploitation in the next 30 days.
How do I fix CVE-2022-23437?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2022-23437?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST