CVE-2022-23437

Infinite loop within Apache XercesJ xml parser

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Se presenta una vulnerabilidad en el analizador XML de Apache Xerces Java (XercesJ) cuando maneja cargas útiles de documentos XML especialmente diseñados. Esto causa que el analizador XML de XercesJ espere en un bucle infinito, lo que a veces puede consumir recursos del sistema durante un tiempo prolongado. Esta vulnerabilidad está presente en XercesJ versión 2.12.1, y en versiones anteriores

A flaw was found in the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This issue causes the XercesJ XML parser to wait in an infinite loop, which may consume system resources for a prolonged duration, leading to a denial of service condition.

*Credits: This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon Corretto/JDK Team

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-19 CVE Reserved
2022-01-24 CVE Published
2024-08-03 CVE Updated
2024-10-09 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (7)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2022/01/24/3	Mailing List
https://security.netapp.com/advisory/ntap-20221028-0005	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-08-08
https://www.oracle.com/security-alerts/cpujul2022.html	2023-08-08

URL	Date	SRC
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl	2023-08-08
https://access.redhat.com/security/cve/CVE-2022-23437	2022-10-05
https://bugzilla.redhat.com/show_bug.cgi?id=2047200	2022-10-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Xerces-j Search vendor "Apache" for product "Xerces-j"				<= 2.12.1 Search vendor "Apache" for product "Xerces-j" and version " <= 2.12.1"		-		Affected
Oracle Search vendor "Oracle"		Agile Engineering Data Management Search vendor "Oracle" for product "Agile Engineering Data Management"				6.2.1.0 Search vendor "Oracle" for product "Agile Engineering Data Management" and version "6.2.1.0"		-		Affected
Oracle Search vendor "Oracle"		Agile Plm Search vendor "Oracle" for product "Agile Plm"				9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6"		-		Affected
Oracle Search vendor "Oracle"		Banking Deposits And Lines Of Credit Servicing Search vendor "Oracle" for product "Banking Deposits And Lines Of Credit Servicing"				2.7 Search vendor "Oracle" for product "Banking Deposits And Lines Of Credit Servicing" and version "2.7"		-		Affected
Oracle Search vendor "Oracle"		Banking Party Management Search vendor "Oracle" for product "Banking Party Management"				2.7.0 Search vendor "Oracle" for product "Banking Party Management" and version "2.7.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Asap Search vendor "Oracle" for product "Communications Asap"				7.3 Search vendor "Oracle" for product "Communications Asap" and version "7.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				< 9.0 Search vendor "Oracle" for product "Communications Element Manager" and version " < 9.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				< 9.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version " < 9.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				< 9.0 Search vendor "Oracle" for product "Communications Session Route Manager" and version " < 9.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				>= 8.0.6.0.0 <= 8.0.9.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.6.0.0 <= 8.0.9.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				>= 8.1.0.0 < 8.1.2.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.1.0.0 < 8.1.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				>= 8.0.6.0.0 <= 8.0.8.0 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version " >= 8.0.6.0.0 <= 8.0.8.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				8.1.1.0 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.1.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				8.1.1.1 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.1.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				8.1.2.0 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Crime And Compliance Management Studio Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio"				8.0.8.2.0 Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Crime And Compliance Management Studio Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio"				8.0.8.3.0 Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.3.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.0.7.1 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.7.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.0.7.2.0 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.7.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.0.8.0 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.8.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.0.8.1 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.8.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.1.1.0 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.1.1.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.1.1.1 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.1.1.1"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Universal Banking Search vendor "Oracle" for product "Flexcube Universal Banking"				12.4.0 Search vendor "Oracle" for product "Flexcube Universal Banking" and version "12.4.0"		-		Affected
Oracle Search vendor "Oracle"		Global Lifecycle Management Nextgen Oui Framework Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework"				< 13.9.4.2.2 Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework" and version " < 13.9.4.2.2"		-		Affected
Oracle Search vendor "Oracle"		Global Lifecycle Management Nextgen Oui Framework Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework"				13.9.4.2.2 Search vendor "Oracle" for product "Global Lifecycle Management Nextgen Oui Framework" and version "13.9.4.2.2"		-		Affected
Oracle Search vendor "Oracle"		Global Lifecycle Management Opatch Search vendor "Oracle" for product "Global Lifecycle Management Opatch"				< 12.2.0.1.30 Search vendor "Oracle" for product "Global Lifecycle Management Opatch" and version " < 12.2.0.1.30"		-		Affected
Oracle Search vendor "Oracle"		Health Sciences Information Manager Search vendor "Oracle" for product "Health Sciences Information Manager"				>= 3.0.1 <= 3.0.5 Search vendor "Oracle" for product "Health Sciences Information Manager" and version " >= 3.0.1 <= 3.0.5"		-		Affected
Oracle Search vendor "Oracle"		Health Sciences Information Manager Search vendor "Oracle" for product "Health Sciences Information Manager"				3.0.0.1 Search vendor "Oracle" for product "Health Sciences Information Manager" and version "3.0.0.1"		-		Affected
Oracle Search vendor "Oracle"		Ilearning Search vendor "Oracle" for product "Ilearning"				6.2 Search vendor "Oracle" for product "Ilearning" and version "6.2"		-		Affected
Oracle Search vendor "Oracle"		Ilearning Search vendor "Oracle" for product "Ilearning"				6.3 Search vendor "Oracle" for product "Ilearning" and version "6.3"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.59 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 17.7 <= 17.12.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.7 <= 17.12.11"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 18.8.0 <= 18.8.14 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.14"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 19.12.0 <= 19.12.13 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.13"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 20.12.0 <= 20.12.8 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 20.12.0 <= 20.12.8"		-		Affected
Oracle Search vendor "Oracle"		Product Lifecycle Analytics Search vendor "Oracle" for product "Product Lifecycle Analytics"				3.6.1 Search vendor "Oracle" for product "Product Lifecycle Analytics" and version "3.6.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Bulk Data Integration Search vendor "Oracle" for product "Retail Bulk Data Integration"				16.0.3.0 Search vendor "Oracle" for product "Retail Bulk Data Integration" and version "16.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Extract Transform And Load Search vendor "Oracle" for product "Retail Extract Transform And Load"				13.2.8 Search vendor "Oracle" for product "Retail Extract Transform And Load" and version "13.2.8"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				14.1.3.2 Search vendor "Oracle" for product "Retail Financial Integration" and version "14.1.3.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				15.0.3.1 Search vendor "Oracle" for product "Retail Financial Integration" and version "15.0.3.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				16.0.3 Search vendor "Oracle" for product "Retail Financial Integration" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				19.0.1 Search vendor "Oracle" for product "Retail Financial Integration" and version "19.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				14.1.3.2 Search vendor "Oracle" for product "Retail Integration Bus" and version "14.1.3.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				15.0.3.1 Search vendor "Oracle" for product "Retail Integration Bus" and version "15.0.3.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				16.0.3 Search vendor "Oracle" for product "Retail Integration Bus" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				19.0.1 Search vendor "Oracle" for product "Retail Integration Bus" and version "19.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				16.0.3 Search vendor "Oracle" for product "Retail Merchandising System" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				19.0.1 Search vendor "Oracle" for product "Retail Merchandising System" and version "19.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				14.1.3.2 Search vendor "Oracle" for product "Retail Service Backbone" and version "14.1.3.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				15.0.3.1 Search vendor "Oracle" for product "Retail Service Backbone" and version "15.0.3.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				16.0.3 Search vendor "Oracle" for product "Retail Service Backbone" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				19.0.1 Search vendor "Oracle" for product "Retail Service Backbone" and version "19.0.1"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		windows		Affected