Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-23437

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Published

2022-01-24T15:15:09.317

Last Modified

2024-11-21T06:48:33.283

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:N/A:C

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: COMPLETE

Exploitability Score

8.6

Impact Score

6.9

Weaknesses

Type: Primary
CWE-835

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	xerces-j	≤ 2.12.1	Yes
Application	oracle	agile_engineering_data_management	6.2.1.0	Yes
Application	oracle	agile_plm	9.3.6	Yes
Application	oracle	banking_deposits_and_lines_of_credit_servicing	2.7	Yes
Application	oracle	banking_party_management	2.7.0	Yes
Application	oracle	communications_asap	7.3	Yes
Application	oracle	communications_element_manager	< 9.0	Yes
Application	oracle	communications_session_report_manager	< 9.0	Yes
Application	oracle	communications_session_route_manager	< 9.0	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	≤ 8.0.9.0	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	< 8.1.2.0	Yes
Application	oracle	financial_services_behavior_detection_platform	≤ 8.0.8.0	Yes
Application	oracle	financial_services_behavior_detection_platform	8.1.1.0	Yes
Application	oracle	financial_services_behavior_detection_platform	8.1.1.1	Yes
Application	oracle	financial_services_behavior_detection_platform	8.1.2.0	Yes
Application	oracle	financial_services_crime_and_compliance_management_studio	8.0.8.2.0	Yes
Application	oracle	financial_services_crime_and_compliance_management_studio	8.0.8.3.0	Yes
Application	oracle	financial_services_enterprise_case_management	8.0.7.1	Yes
Application	oracle	financial_services_enterprise_case_management	8.0.7.2.0	Yes
Application	oracle	financial_services_enterprise_case_management	8.0.8.0	Yes
Application	oracle	financial_services_enterprise_case_management	8.0.8.1	Yes
Application	oracle	financial_services_enterprise_case_management	8.1.1.0	Yes
Application	oracle	financial_services_enterprise_case_management	8.1.1.1	Yes
Application	oracle	flexcube_universal_banking	12.4.0	Yes
Application	oracle	global_lifecycle_management_nextgen_oui_framework	< 13.9.4.2.2	Yes
Application	oracle	global_lifecycle_management_nextgen_oui_framework	13.9.4.2.2	Yes
Application	oracle	global_lifecycle_management_opatch	< 12.2.0.1.30	Yes
Application	oracle	health_sciences_information_manager	≤ 3.0.5	Yes
Application	oracle	health_sciences_information_manager	3.0.0.1	Yes
Application	oracle	ilearning	6.2	Yes
Application	oracle	ilearning	6.3	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.59	Yes
Application	oracle	primavera_gateway	≤ 17.12.11	Yes
Application	oracle	primavera_gateway	≤ 18.8.14	Yes
Application	oracle	primavera_gateway	≤ 19.12.13	Yes
Application	oracle	primavera_gateway	≤ 20.12.8	Yes
Application	oracle	product_lifecycle_analytics	3.6.1	Yes
Application	oracle	retail_bulk_data_integration	16.0.3.0	Yes
Application	oracle	retail_extract_transform_and_load	13.2.8	Yes
Application	oracle	retail_financial_integration	14.1.3.2	Yes
Application	oracle	retail_financial_integration	15.0.3.1	Yes
Application	oracle	retail_financial_integration	16.0.3	Yes
Application	oracle	retail_financial_integration	19.0.1	Yes
Application	oracle	retail_integration_bus	14.1.3.2	Yes
Application	oracle	retail_integration_bus	15.0.3.1	Yes
Application	oracle	retail_integration_bus	16.0.3	Yes
Application	oracle	retail_integration_bus	19.0.1	Yes
Application	oracle	retail_merchandising_system	16.0.3	Yes
Application	oracle	retail_merchandising_system	19.0.1	Yes
Application	oracle	retail_service_backbone	14.1.3.2	Yes
Application	oracle	retail_service_backbone	15.0.3.1	Yes
Application	oracle	retail_service_backbone	16.0.3	Yes
Application	oracle	retail_service_backbone	19.0.1	Yes
Application	oracle	weblogic_server	12.2.1.3.0	Yes
Application	oracle	weblogic_server	12.2.1.4.0	Yes
Application	oracle	weblogic_server	14.1.1.0.0	Yes
Application	netapp	active_iq_unified_manager	-	Yes

References

http://www.openwall.com/lists/oss-security/2022/01/24/3 Mailing List, Third Party Advisory ([email protected])
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl Mailing List, Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20221028-0005/ Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2022/01/24/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20221028-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)