CVE-2022-23437
Denial of Service vulnerability in xercesImpl (Maven)
What is CVE-2022-23437 About?
This vulnerability exists in Apache Xerces Java (XercesJ) XML parser versions 2.12.1 and below, leading to a Denial of Service (DoS) condition. It allows attackers to cause the parser to enter an infinite loop when processing a specially crafted XML document. Exploitation is relatively easy as it only requires supplying a malformed XML payload.
Affected Software
Technical Details
The Apache XercesJ XML parser, in versions up to and including 2.12.1, is susceptible to a Denial of Service. When handling a specially crafted XML document payload, a flaw in the parsing logic causes the XercesJ XML parser to enter an infinite loop. This prolonged loop can consume significant system resources, such as CPU cycles and memory, eventually rendering the application unresponsive and leading to a denial of service. The specific XML structure that triggers this infinite loop exploits a vulnerability in how the parser handles certain recursive or malformed elements or attribute definitions.
What is the Impact of CVE-2022-23437?
Successful exploitation may allow attackers to cause the application using the parser to become unresponsive or consume excessive resources, leading to a denial of service.
What is the Exploitability of CVE-2022-23437?
Exploitation is relatively straightforward and requires low complexity. An attacker simply needs to provide a specially crafted XML document to an application that uses the vulnerable XercesJ XML parser. No authentication is required, and exploitation is typically remote if the application accepts external XML input. The primary prerequisite is that the target application uses an affected version of XercesJ and processes untrusted XML. The risk factor increases for publicly accessible services that consume XML data from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23437?
Available Upgrade Options
- xerces:xercesImpl
- <2.12.2 → Upgrade to 2.12.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/jboss/xerces
- https://security.netapp.com/advisory/ntap-20221028-0005
- https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
- http://www.openwall.com/lists/oss-security/2022/01/24/3
- https://osv.dev/vulnerability/GHSA-h65f-jvqw-m9fj
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-23437
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
What are Similar Vulnerabilities to CVE-2022-23437?
Similar Vulnerabilities: CVE-2020-10650 , CVE-2017-15707 , CVE-2016-4463 , CVE-2014-0062 , CVE-2013-1571
