{ "threat_severity" : "Moderate", "public_date" : "2022-01-24T00:00:00Z", "bugzilla" : { "description" : "xerces-j2: infinite loop when handling specially crafted XML document payloads", "id" : "2047200", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2047200" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-835", "details" : [ "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.", "A flaw was found in the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This issue causes the XercesJ XML parser to wait in an infinite loop, which may consume system resources for a prolonged duration, leading to a denial of service condition." ], "acknowledgement" : "Upstream acknowledges Sergey Temnikov (Amazon Corretto) and Ziyi Luo (Amazon Corretto) as the original reporters.", "affected_release" : [ { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2022-06-06T00:00:00Z", "advisory" : "RHSA-2022:4922", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "xerces-j2" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2022-06-06T00:00:00Z", "advisory" : "RHSA-2022:4919", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-xerces-j2-0:2.12.0-3.SP04_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2022-06-06T00:00:00Z", "advisory" : "RHSA-2022:4918", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-xerces-j2-0:2.12.0-3.SP04_redhat_00001.1.el7eap" }, { "product_name" : "RHPAM 7.13.1 async", "release_date" : "2022-10-05T00:00:00Z", "advisory" : "RHSA-2022:6813", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package" : "xercesimpl" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "xerces-j2", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "xerces-j2", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "pki-deps:10.6/xerces-j2", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "xerces-j2", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "xerces-j2-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Not affected", "package_name" : "xerces-j2", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "rh-maven36-xerces-j2", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-23437\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23437" ], "name" : "CVE-2022-23437", "csaw" : false }