CVE-2022-23437

NameCVE-2022-23437
DescriptionThere's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1016975

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxerces2-java (PTS)bullseye2.12.1-1vulnerable
bookworm, sid, trixie2.12.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libxerces2-javasource(unstable)2.12.2-11016975

Notes

[bullseye] - libxerces2-java <postponed> (revisit when/if fix is complete)
[buster] - libxerces2-java <postponed> (revisit when/if fix is complete)
[stretch] - libxerces2-java <postponed> (revisit when/if fix is complete)
https://www.openwall.com/lists/oss-security/2022/01/24/3
https://issues.apache.org/jira/browse/XERCESJ-1737
Confimation of fixing commits: https://lists.apache.org/thread/8bdbk40hf1oqhyvmdcvtqwr2hwfhhmkt
The svn.apache.org links are gone, but looking at the Wayback Machine it's these commits:
https://github.com/apache/xerces-j/commit/0a785cfe0d210b5e5b3b020ecfeb67693764aaf4
https://github.com/apache/xerces-j/commit/da8efa66241dd63cb34eacb22bc28c3469af91a6
Search for package or bug name: Reporting problems