Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[cross-project-issues-dev] Potential vulnerability in Apache Xerces 1.12.1 (CVE-2022-23437)

From CVE-2022-23437:

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

More here:
This particular version is in Orbit and in the Simultaneous Release. It appearsĀ that version 2.9 is also in the simultaneous release. According to the alert all versions are affected.

According to the CQ record, several projects on the simultaneous release are using affected versions.

If anybody from EclipseLink is monitoring this channel, you have a CQ for this library, but I haven't found it in your builds yet. You should probably also have a look.

It seems that the reasonable mitigation strategy is to update to 2.12.2, but we'll need somebody to take the lead on that. Any volunteers?


Wayne Beaton

Director of Open Source Projects | Eclipse Foundation

Back to the top