[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer trunca
From: Moritz Muehlenhoff <jmm () inutil ! org>
Date: 2022-07-20 8:49:26
Message-ID: 20220720084926.GA11533 () inutil ! org
[Download RAW message or body]
On Tue, Jul 19, 2022 at 02:21:40PM -0500, John Helmert III wrote:
> On Tue, Jul 19, 2022 at 05:37:46PM +0000, Mark J. Cox wrote:
> > Description:
> >
> > The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when \
> > processing malicious XSLT stylesheets. This can be used to corrupt Java class files \
> > generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
> > The Apache Xalan Java project is dormant and in the process of being retired. No future \
> > releases of Apache Xalan Java to address this issue are expected.
> > Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
> >
> > Credit:
> >
> > Reported by Felix Wilhelm, Google Project Zero
> >
> > References:
> >
> > https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
> >
>
> Hi, is there any available patch or bug report? The reference here
> only seems to be a discussion of the retirement of xalan-j, rather
> than the vulnerability.
This seems to be the patch for the Xalan copy vendored in OpenJDK:
https://github.com/openjdk/jdk/commit/41ef2b249073450172e11163a4d05762364b1297
Cheers,
Moritz
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic