[jira] [Created] (OFBIZ-12549) [SECURITY] CVE-2022-23437: Infinite loop within Apache XercesJ xml parser

Jacques Le Roux (Jira) Mon, 31 Jan 2022 07:48:07 -0800

Jacques Le Roux created OFBIZ-12549:
---------------------------------------


             Summary: [SECURITY] CVE-2022-23437: Infinite loop within Apache 
XercesJ xml parser
                 Key: OFBIZ-12549
                 URL: https://issues.apache.org/jira/browse/OFBIZ-12549
             Project: OFBiz
          Issue Type: Bug
          Components: Gradle
    Affects Versions: 18.12.05, 22.01.01
            Reporter: Jacques Le Roux



Severity: high

Description:

There's a vulnerability within the Apache Xerces Java (XercesJ) XML
parser when handling specially crafted XML document payloads. This
causes, the XercesJ XML parser to wait in an infinite loop, which may
sometimes consume system resources for prolonged duration. This
vulnerability is present within XercesJ version 2.12.1 and the
previous versions.

Mitigation:

Apache XercesJ users, should migrate to version 2.12.2

Credit:

This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon
Corretto/JDK Team

References:

https://markmail.org/message/vcmhwbuorfgcdr6l



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (OFBIZ-12549) [SECURITY] CVE-2022-23437: Infinite loop within Apache XercesJ xml parser

Reply via email to