CVE-2022-34169
Publication date 19 July 2022
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Status
Package | Ubuntu Release | Status |
---|---|---|
icedtea-web | 24.04 LTS noble |
Not affected
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Not in release | |
libxalan2-java | 24.04 LTS noble |
Needs evaluation
|
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty |
Needs evaluation
|
|
openjdk-12 | 24.04 LTS noble | Not in release |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
openjdk-13 | 24.04 LTS noble | Not in release |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Ignored superseded by openjdk-17 | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
openjdk-15 | 24.04 LTS noble | Not in release |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
openjdk-16 | 24.04 LTS noble | Not in release |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Ignored superseded by openjdk-17 | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
openjdk-17 | 24.04 LTS noble |
Not affected
|
22.04 LTS jammy |
Fixed 17.0.4+8-1~22.04
|
|
20.04 LTS focal |
Fixed 17.0.4+8-1~20.04
|
|
18.04 LTS bionic |
Fixed 17.0.4+8-1~18.04
|
|
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
openjdk-18 | 24.04 LTS noble | Not in release |
22.04 LTS jammy |
Fixed 18.0.2+9-2~22.04
|
|
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
openjdk-8 | 24.04 LTS noble |
Not affected
|
22.04 LTS jammy |
Fixed 8u342-b07-0ubuntu1~22.04
|
|
20.04 LTS focal |
Fixed 8u342-b07-0ubuntu1~20.04
|
|
18.04 LTS bionic |
Fixed 8u342-b07-0ubuntu1~18.04
|
|
16.04 LTS xenial |
Fixed 8u342-b07-0ubuntu1~16.04
|
|
14.04 LTS trusty | Not in release | |
openjdk-9 | 24.04 LTS noble | Not in release |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Ignored no longer supported by upstream | |
14.04 LTS trusty | Not in release | |
openjdk-lts | 24.04 LTS noble |
Fixed 11.0.16+8-0ubuntu1
|
22.04 LTS jammy |
Fixed 11.0.16+8-0ubuntu1~22.04
|
|
20.04 LTS focal |
Fixed 11.0.16+8-0ubuntu1~20.04
|
|
18.04 LTS bionic |
Fixed 11.0.16+8-0ubuntu1~18.04
|
|
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-5546-1
- OpenJDK vulnerabilities
- 4 August 2022
- USN-5546-2
- OpenJDK 8 vulnerabilities
- 4 August 2022
Other references
- https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
- https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
- https://marc.info/?l=oss-security&m=165825217622132
- https://openjdk.org/groups/vulnerability/advisories/2022-07-19
- https://github.com/openjdk/jdk/commit/41ef2b249073450172e11163a4d05762364b1297
- https://www.cve.org/CVERecord?id=CVE-2022-34169