jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d1132d88d2
cvrf2cusa/cvrf/2022/cvrf-openEuler-SA-2022-1625.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

117 lines
7.8 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for xerces-j2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2022-1625</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2022-04-29</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2022-04-29</InitialReleaseDate>
<CurrentReleaseDate>2022-04-29</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2022-04-29</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">xerces-j2 security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for xerces-j2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Welcome to the future! Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces 2 is a fully conforming XML Schema processor. For more information, refer to the XML Schema page.
Xerces 2 also provides a partial implementation of Document Object Model Level 3 Core, Load and Save and Abstract Schemas [deprecated] Working Drafts. For more information, refer to the DOM Level 3 Implementation page.
Security Fix(es):
There s a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.(CVE-2022-23437)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for xerces-j2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">xerces-j2</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1625</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23437</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-23437</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
<FullProductName ProductID="openEuler-20.03-LTS-SP2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">openEuler-20.03-LTS-SP2</FullProductName>
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="xerces-j2-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">xerces-j2-2.12.2-1.oe1.src.rpm</FullProductName>
<FullProductName ProductID="xerces-j2-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">xerces-j2-2.12.2-1.oe1.src.rpm</FullProductName>
<FullProductName ProductID="xerces-j2-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">xerces-j2-2.12.2-1.oe1.src.rpm</FullProductName>
<FullProductName ProductID="xerces-j2-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">xerces-j2-2.12.2-1.oe2203.src.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="noarch">
<FullProductName ProductID="xerces-j2-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">xerces-j2-2.12.2-1.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="xerces-j2-help-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">xerces-j2-help-2.12.2-1.oe1.noarch.rpm </FullProductName>
<FullProductName ProductID="xerces-j2-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">xerces-j2-2.12.2-1.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="xerces-j2-help-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">xerces-j2-help-2.12.2-1.oe1.noarch.rpm </FullProductName>
<FullProductName ProductID="xerces-j2-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">xerces-j2-2.12.2-1.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="xerces-j2-help-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">xerces-j2-help-2.12.2-1.oe1.noarch.rpm </FullProductName>
<FullProductName ProductID="xerces-j2-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">xerces-j2-2.12.2-1.oe2203.noarch.rpm</FullProductName>
<FullProductName ProductID="xerces-j2-help-2.12.2-1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">xerces-j2-help-2.12.2-1.oe2203.noarch.rpm </FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">There s a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.</Note>
</Notes>
<ReleaseDate>2022-04-29</ReleaseDate>
<CVE>CVE-2022-23437</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
<ProductID>openEuler-22.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>6.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>xerces-j2 security update</Description>
<DATE>2022-04-29</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1625</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink