Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Potential vulnerability in Apache Xerces 1.12.1 (CVE-2022-23437)

Of course, only now do I remember how much effort Aurélien had to go through just to get the then-current version onto Maven Central.

On Wed, Jan 26, 2022 at 7:10 PM Nitin Dahyabhai <thatnitind@xxxxxxxxx> wrote:
Wayne,
I'll take it on.

On Wed, Jan 26, 2022 at 5:02 PM Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx> wrote:
From CVE-2022-23437:

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

More here:
This particular version is in Orbit and in the Simultaneous Release. It appears that version 2.9 is also in the simultaneous release. According to the alert all versions are affected.

According to the CQ record, several projects on the simultaneous release are using affected versions.

If anybody from EclipseLink is monitoring this channel, you have a CQ for this library, but I haven't found it in your builds yet. You should probably also have a look.

It seems that the reasonable mitigation strategy is to update to 2.12.2, but we'll need somebody to take the lead on that. Any volunteers?

Wayne
--

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev


--
Regards,
Nitin Dahyabhai
Eclipse WTP PMC


--
Regards,
Nitin Dahyabhai
Eclipse WTP PMC

Back to the top