CVE-2022-34169
Published: 19 July 2022
Summary
CVE-2022-34169 is a high-severity Incorrect Conversion between Numeric Types (CWE-681) vulnerability in Oracle Openjdk. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Apache Xalan Java XSLT library is affected by an integer truncation vulnerability (CWE-681) that occurs during processing of malicious XSLT stylesheets. The flaw resides in the internal XSLTC compiler and allows corruption of generated Java class files, ultimately enabling execution of arbitrary Java bytecode. The issue impacts Xalan-J versions prior to 2.7.3; because many Java runtimes, including OpenJDK, bundle repackaged copies of the library, the exposure extends beyond direct Xalan deployments. The vulnerability carries a CVSS 3.1 score of 7.5 with network attack vector and no required privileges or user interaction.
An unauthenticated remote attacker can supply a crafted XSLT stylesheet to any application that invokes the vulnerable Xalan processor, such as XML transformation services or document-processing pipelines. Successful exploitation results in high-integrity impact through execution of attacker-controlled bytecode while leaving confidentiality and availability unaffected.
Advisories published on the oss-security mailing list and the associated Packet Storm entry recommend immediate upgrade to Xalan-J 2.7.3 or later. Because the library is frequently embedded inside Java runtimes, operators are advised to apply vendor-supplied runtime updates that incorporate the patched Xalan classes.
Public proof-of-concept material has been available since disclosure, and the EPSS score has remained near 0.11 with only minor fluctuation between its recorded peak and current value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6300
Vulnerability details
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are…
more
recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.