CVE-2022-34169
Integer Truncation vulnerability in xalan (Maven)
What is CVE-2022-34169 About?
The Apache Xalan Java XSLT library contains an integer truncation issue when processing malicious XSLT stylesheets. This flaw can be leveraged to corrupt generated Java class files, ultimately allowing for arbitrary Java bytecode execution. This is a critical vulnerability carrying significant risk. Exploitation is complex, requiring crafted XSLT stylesheets.
Affected Software
Technical Details
The integer truncation vulnerability in Apache Xalan Java's XSLTC compiler occurs when it processes specially crafted, malicious XSLT stylesheets. During the compilation of XSLT into Java bytecode, an integer overflow or truncation error happens. This error, possibly in calculations related to memory allocation, array indexing, or code generation, leads to corrupted Java class files. Specifically, an attacker can craft an XSLT stylesheet in such a way that when the XSLTC compiler processes it, the resulting bytecode is malformed but still digestible by the JVM. This corruption allows the attacker to inject arbitrary Java bytecode into the generated class, which is then executed when the compiled XSLT transformation is performed. The attacker's objective is to control code execution during the XSLT processing phase itself, leveraging the compiler's faulty handling of large or complex integer values derived from the malicious stylesheet.
What is the Impact of CVE-2022-34169?
Successful exploitation may allow attackers to execute arbitrary Java bytecode on the server, leading to potential full system compromise, data theft, data destruction, or denial of service.
What is the Exploitability of CVE-2022-34169?
Exploitation complexity is high, as it requires deep knowledge of XSLT, Java bytecode, and the internal workings of the Xalan XSLTC compiler to craft a malicious stylesheet that triggers integer truncation. No direct authentication is necessarily required if the application processes untrusted XSLT input from unauthenticated sources. Privilege requirements are those of the Java application processing the XSLT. Exploitation is typically remote, achieved by submitting a malicious XSLT stylesheet to an endpoint that performs XSLT transformations. Special conditions involve the application using the vulnerable Apache Xalan Java library and allowing untrusted XSLT stylesheets to be processed. Risk factors increasing exploitation likelihood include systems that expose XSLT transformation capabilities to external users or where XSLT stylesheets are sourced from untrusted repositories.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| flowerwind | Link | cve-2022-34169 延伸出的Jdk Xalan的payload自动生成工具,可根据不同的Jdk生成出其所对应的xslt文件 |
| Disnaming | Link | A PoC for CVE-2022-34169, for the SU_PWN challenge from SUCTF 2025 |
| bor8 | Link | https://nvd.nist.gov/vuln/detail/CVE-2022-34169 |
What are the Available Fixes for CVE-2022-34169?
Available Upgrade Options
- xalan:xalan
- <2.7.3 → Upgrade to 2.7.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=2e60d0a9a5b822c4abf9051857973b1c6babfe81
- https://security.netapp.com/advisory/ntap-20240621-0006
- http://www.openwall.com/lists/oss-security/2022/07/20/2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ
- http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
- https://www.debian.org/security/2022/dsa-5188
- https://www.debian.org/security/2022/dsa-5192
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM
- http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L
What are Similar Vulnerabilities to CVE-2022-34169?
Similar Vulnerabilities: CVE-2019-17571 , CVE-2020-1945 , CVE-2017-15707 , CVE-2019-0232 , CVE-2018-11776
