Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets

[Roxana Bradescu <roxxbee () gmail com>]

> On Jul 19, 2022, at 12:21 PM, John Helmert III <ajak () gentoo org> wrote:
>
> On Tue, Jul 19, 2022 at 05:37:46PM +0000, Mark J. Cox wrote:
> > Description:
> >
> > The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT 
> > stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute 
> > arbitrary Java bytecode.
> >
> > The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan 
> > Java to address this issue are expected.
> >
> > Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
> >
> > Credit:
> >
> > Reported by Felix Wilhelm, Google Project Zero
> >
> > References:
> >
> > https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
>
> Hi, is there any available patch or bug report? The reference here
> only seems to be a discussion of the retirement of xalan-j, rather
> than the vulnerability.

Project Zero won't share technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 
7-day deadline. The 30-day period is intended for user patch adoption.
https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html 
<https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html>

Since OpenJDK released patches for this vulnerability today, PZ would publish technical details in 30 days.
https://openjdk.org/groups/vulnerability/advisories/2022-07-19 
<https://openjdk.org/groups/vulnerability/advisories/2022-07-19>

—
Regards, Roxana

Attachment: signature.asc
Description: Message signed with OpenPGP