CVE-2022-34169

NameCVE-2022-34169
DescriptionThe Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3155-1, DSA-5188-1, DSA-5192-1, DSA-5256-1, ELA-653-1, ELA-707-1
Debian Bugs1015860

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bcel (PTS)jessie, jessie (lts)6.0~rc3-1+deb8u1fixed
stretch (lts), stretch6.0-1+deb9u1fixed
buster (security), buster, buster (lts)6.2-1+deb10u1fixed
bullseye (security), bullseye6.5.0-1+deb11u1fixed
bookworm6.5.0-2fixed
sid, trixie6.10.0-1fixed
openjdk-11 (PTS)buster, buster (lts)11.0.25+9-1~deb10u1fixed
buster (security)11.0.23+9-1~deb10u1fixed
bullseye11.0.24+8-2~deb11u1fixed
bullseye (security)11.0.25+9-1~deb11u1fixed
sid11.0.26~6ea-1fixed
openjdk-17 (PTS)bullseye17.0.12+7-2~deb11u1fixed
bullseye (security)17.0.13+11-1~deb11u1fixed
bookworm (security), bookworm17.0.13+11-2~deb12u1fixed
trixie17.0.13+11-2fixed
sid17.0.14~6ea-1fixed
openjdk-8 (PTS)jessie, jessie (lts)8u432-b06-2~deb8u1fixed
stretch (security)8u332-ga-1~deb9u1vulnerable
stretch (lts), stretch8u432-b06-2~deb9u1fixed
sid8u432-b06-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bcelsourcejessie6.0~rc3-1+deb8u1ELA-707-1
bcelsourcestretch6.0-1+deb9u1ELA-707-1
bcelsourcebuster6.2-1+deb10u1DLA-3155-1
bcelsourcebullseye6.5.0-1+deb11u1DSA-5256-1
bcelsource(unstable)6.5.0-21015860
openjdk-11sourcebuster11.0.16+8-1~deb10u1DSA-5188-1
openjdk-11sourcebullseye11.0.16+8-1~deb11u1DSA-5188-1
openjdk-11source(unstable)11.0.16+8-1
openjdk-17sourcebullseye17.0.4+8-1~deb11u1DSA-5192-1
openjdk-17source(unstable)17.0.4+8-1
openjdk-8sourcejessie8u342-b07-1~deb8u1ELA-653-1
openjdk-8sourcestretch8u342-b07-1~deb9u1ELA-653-1
openjdk-8source(unstable)8u342-b07-1

Notes

https://www.openwall.com/lists/oss-security/2022/07/19/5
https://github.com/openjdk/jdk/commit/41ef2b249073450172e11163a4d05762364b1297
Bug is most likely only in bcel which libxalan2-java depends on.
https://github.com/apache/commons-bcel/pull/147
https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5

Search for package or bug name: Reporting problems