CVE-2022-23437 : There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Published 2022-01-24 15:15:09

Updated 2022-12-07 01:45:22

Source Apache Software Foundation

View at NVD, CVE.org

Products affected by CVE-2022-23437

Apache » Xerces-j
Versions up to, including, (<=) 2.12.1
cpe:2.3:a:apache:xerces-j:*:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.58
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.59
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
Matching versions
Oracle » Weblogic Server » Version: 12.2.1.3.0
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Weblogic Server » Version: 12.2.1.4.0
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Weblogic Server » Version: 14.1.1.0.0
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Ilearning » Version: 6.2
cpe:2.3:a:oracle:ilearning:6.2:*:*:*:*:*:*:*
Matching versions
Oracle » Ilearning » Version: 6.3
cpe:2.3:a:oracle:ilearning:6.3:*:*:*:*:*:*:*
Matching versions
Oracle » Agile Engineering Data Management » Version: 6.2.1.0
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Integration Bus » Version: 16.0.3
cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Integration Bus » Version: 14.1.3.2
cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Integration Bus » Version: 15.0.3.1
cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Integration Bus » Version: 19.0.1
cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Health Sciences Information Manager
Versions from including (>=) 3.0.1 and up to, including, (<=) 3.0.5
cpe:2.3:a:oracle:health_sciences_information_manager:*:*:*:*:*:*:*:*
Matching versions
Oracle » Health Sciences Information Manager » Version: 3.0.0.1
cpe:2.3:a:oracle:health_sciences_information_manager:3.0.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Service Backbone » Version: 16.0.3
cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Service Backbone » Version: 14.1.3.2
cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Service Backbone » Version: 15.0.3.1
cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Service Backbone » Version: 19.0.1
cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Universal Banking » Version: 12.4.0
cpe:2.3:a:oracle:flexcube_universal_banking:12.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 18.8.0 and up to, including, (<=) 18.8.14
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 17.7 and up to, including, (<=) 17.12.11
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 19.12.0 and up to, including, (<=) 19.12.13
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 20.12.0 and up to, including, (<=) 20.12.8
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Merchandising System » Version: 16.0.3
cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Merchandising System » Version: 19.0.1
cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure
Versions from including (>=) 8.0.6.0.0 and up to, including, (<=) 8.0.9.0
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure
Versions from including (>=) 8.1.0.0 and before (<) 8.1.2.0
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Bulk Data Integration » Version: 16.0.3.0
cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Behavior Detection Platform
Versions from including (>=) 8.0.6.0.0 and up to, including, (<=) 8.0.8.0
cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Behavior Detection Platform » Version: 8.1.1.0
cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Behavior Detection Platform » Version: 8.1.1.1
cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Behavior Detection Platform » Version: 8.1.2.0
cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Extract Transform And Load » Version: 13.2.8
cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:*:*:*:*:*:*:*
Matching versions
Oracle » Agile Plm » Version: 9.3.6
cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Financial Integration » Version: 16.0.3
cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Financial Integration » Version: 14.1.3.2
cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Financial Integration » Version: 15.0.3.1
cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Financial Integration » Version: 19.0.1
cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Global Lifecycle Management Opatch
Versions before (<) 12.2.0.1.30
cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Element Manager
Versions before (<) 9.0
cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Session Report Manager
Versions before (<) 9.0
cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Session Route Manager
Versions before (<) 9.0
cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
Matching versions
Oracle » Global Lifecycle Management Nextgen Oui Framework
Versions before (<) 13.9.4.2.2
cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:*:*:*:*:*:*:*:*
Matching versions
Oracle » Global Lifecycle Management Nextgen Oui Framework » Version: 13.9.4.2.2
cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Enterprise Case Management » Version: 8.0.7.2.0
cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Enterprise Case Management » Version: 8.1.1.0
cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Enterprise Case Management » Version: 8.1.1.1
cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Enterprise Case Management » Version: 8.0.7.1
cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Enterprise Case Management » Version: 8.0.8.0
cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Enterprise Case Management » Version: 8.0.8.1
cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Party Management » Version: 2.7.0
cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Asap » Version: 7.3
cpe:2.3:a:oracle:communications_asap:7.3:*:*:*:*:*:*:*
Matching versions
Oracle » Product Lifecycle Analytics » Version: 3.6.1
cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Deposits And Lines Of Credit Servicing » Version: 2.7
cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Crime And Compliance Management Studio » Version: 8.0.8.2.0
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Crime And Compliance Management Studio » Version: 8.0.8.3.0
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Windows
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-23437

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 21 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-23437

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.1	HIGH	AV:N/AC:M/Au:N/C:N/I:N/A:C	8.6	6.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-23437

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-23437

https://security.netapp.com/advisory/ntap-20221028-0005/

CVE-2022-23437 Apache XercesJ Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl

CVE-2022-23437: Infinite loop within Apache XercesJ xml parser-Apache Mail Archives
Mailing List;Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/01/24/3

oss-security - CVE-2022-23437: Infinite loop within Apache XercesJ xml parser
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022
Patch;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-23437

Products affected by CVE-2022-23437

Exploit prediction scoring system (EPSS) score for CVE-2022-23437

CVSS scores for CVE-2022-23437

CWE ids for CVE-2022-23437

References for CVE-2022-23437