>From CVE-2022-23437: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser > when handling specially crafted XML document payloads. This causes, the > XercesJ XML parser to wait in an infinite loop, which may sometimes consume > system resources for prolonged duration. This vulnerability is present > within XercesJ version 2.12.1 and *the previous versions*.
More here: - https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437 This particular version is in Orbit and in the Simultaneous Release. It appears that version 2.9 is also in the simultaneous release. According to the alert all versions are affected. According to the CQ record, several projects on the simultaneous release are using affected versions. If anybody from EclipseLink is monitoring this channel, you have a CQ for this library, but I haven't found it in your builds yet. You should probably also have a look. It seems that the reasonable mitigation strategy is to update to 2.12.2, but we'll need somebody to take the lead on that. Any volunteers? Wayne -- Wayne Beaton Director of Open Source Projects | Eclipse Foundation
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
