Cyber Resilience

CVE-2022-34169

HighPublic PoCUpdated

Published: 19 July 2022

Published
19 July 2022
Modified
27 May 2026
KEV Added
Patch
20 July 2022
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.1095 93.6th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-34169 is a high-severity Incorrect Conversion between Numeric Types (CWE-681) vulnerability in Oracle Openjdk. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Apache Xalan Java XSLT library is affected by an integer truncation vulnerability (CWE-681) that occurs during processing of malicious XSLT stylesheets. The flaw resides in the internal XSLTC compiler and allows corruption of generated Java class files, ultimately enabling execution of arbitrary Java bytecode. The issue impacts Xalan-J versions prior to 2.7.3; because many Java runtimes, including OpenJDK, bundle repackaged copies of the library, the exposure extends beyond direct Xalan deployments. The vulnerability carries a CVSS 3.1 score of 7.5 with network attack vector and no required privileges or user interaction.

An unauthenticated remote attacker can supply a crafted XSLT stylesheet to any application that invokes the vulnerable Xalan processor, such as XML transformation services or document-processing pipelines. Successful exploitation results in high-integrity impact through execution of attacker-controlled bytecode while leaving confidentiality and availability unaffected.

Advisories published on the oss-security mailing list and the associated Packet Storm entry recommend immediate upgrade to Xalan-J 2.7.3 or later. Because the library is frequently embedded inside Java runtimes, operators are advised to apply vendor-supplied runtime updates that incorporate the patched Xalan classes.

Public proof-of-concept material has been available since disclosure, and the EPSS score has remained near 0.11 with only minor fluctuation between its recorded peak and current value.

EU & UK References

Vulnerability details

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are…

more

recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
xalan-java
≤ 2.7.2
debian
debian linux
10.0, 11.0
oracle
graalvm
20.3.6, 21.3.2, 22.1.0
oracle
jdk
1.7.0, 1.8.0, 11.0.15.1, 17.0.3.1, 18.0.1.1
oracle
jre
1.7.0, 1.8.0, 11.0.15.1, 17.0.3.1, 18.0.1.1
oracle
openjdk
18, 7, 8 · 11 — 11.0.15 · 13 — 13.0.11 · 15 — 15.0.7
fedoraproject
fedora
35, 36
netapp
7-mode transition tool
all versions
netapp
active iq unified manager
all versions
netapp
cloud insights acquisition unit
all versions
+6 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References