Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 19 Jul 2022 19:53:10 -0700
From: Roxana Bradescu <roxxbee@...il.com>
To: oss-security@...ts.openwall.com
Cc: mjc@...che.org
Subject: Re: CVE-2022-34169: Apache Xalan Java XSLT library is
 vulnerable to an integer truncation issue when processing malicious XSLT
 stylesheets


> On Jul 19, 2022, at 12:21 PM, John Helmert III <ajak@...too.org> wrote:
> 
> On Tue, Jul 19, 2022 at 05:37:46PM +0000, Mark J. Cox wrote:
>> Description:
>> 
>> The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
>> 
>> The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected.
>> 
>> Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
>> 
>> Credit:
>> 
>> Reported by Felix Wilhelm, Google Project Zero
>> 
>> References:
>> 
>> https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
>> 
> 
> Hi, is there any available patch or bug report? The reference here
> only seems to be a discussion of the retirement of xalan-j, rather
> than the vulnerability.

Project Zero won't share technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 7-day deadline. The 30-day period is intended for user patch adoption.
https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html <https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html>

Since OpenJDK released patches for this vulnerability today, PZ would publish technical details in 30 days.
https://openjdk.org/groups/vulnerability/advisories/2022-07-19 <https://openjdk.org/groups/vulnerability/advisories/2022-07-19>

—
Regards, Roxana



Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.