Vulnerability Name: CVE-2022-23437 (CCN-217982) Assigned: 2022-01-24 Published: 2022-01-24 Updated: 2022-12-07 Summary: Apache Xerces2 Java XML Parser is vulnerable to a denial of service, caused by an infinite loop in the XML parser. By persuading a victim to open a specially-crafted XML document payloads, a remote attacker could exploit this vulnerability to consume system resources for prolonged duration. CVSS v3 Severity: 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
CVSS v2 Severity: 7.1 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Complete
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Complete
Vulnerability Consequences: Denial of Service References: Source: MITRECVE-2022-23437 security@apache.org apache-cve202223437-dos(217982) security@apache.org CVE-2022-23437: Infinite loop within Apache XercesJ xml parser security@apache.org IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Xerces IBM Spectrum Control is vulnerable to multiple weaknesses related to XStream, Apache Xerces2, Jackson, OpenSSL, and Java SE IBM Sterling Control Center is vulnerable to a denial of service vulnerability due to Apache Xerces2 Java XML Parser (CVE-2022-23437) IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial server due to its use of Apache Xerces2 (CVE-2022-23437) Vulnerabilities in FasterXML Jackson Databind and Apache Xerces affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments Multiple denial of service vulnerabilities in Apache Xerces affect IBM InfoSphere Information Server Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.1 Vulnerability from Apache Xerces2 affect IBM Operations Analytics - Log Analysis (CVE-2022-23437) IBM Sterling Secure Proxy vulnerable to multiple issues IBM Sterling External Authentication Server vulnerable to denial of service due to Apache Xerces2 (CVE-2022-23437) Multiple vulnerabilities found with third-party libraries used by IBM MobileFirst Platform IBM QRadar SIEM includes components with known vulnerabilities IBM Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6 IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to denial of service due to [CVE-2012-0881], [CVE-2013-4002] and [CVE-2022-23437] Multiple vulnerabilities in DITA may affect IBM Business Automation Workflow and IBM Case Manager Atlas eDiscovery Process Management is affected by a vulnerable org.apache.xerces_2.9.0.v201101211617-4.8.0.jar IBM Operational Decision Manager May 2023 - Multiple CVEs Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities Oracle Critical Patch Update Advisory - April 2022 security@apache.org Oracle Critical Patch Update Advisory - July 2022 security@apache.org Apache Xerces2 Java XML Parser Vulnerable Configuration: Configuration CCN 1 :cpe:/a:ibm:atlas_ediscovery_process_management:6.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:agile_plm_framework:9.3.6:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_asap:7.3:*:*:*:*:*:*:* OR cpe:/a:oracle:ilearning:6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* OR cpe:/a:ibm:operational_decision_manager:8.10:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_backup-archive_client:8.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_for_virtual_environments:8.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_for_space_management:8.1.9.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_backup-archive_client:8.1.9.0:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_secure_proxy:6.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:* OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:* OR cpe:/a:ibm:business_automation_workflow:21.0.1:*:*:*:traditional:*:*:* OR cpe:/a:ibm:case_manager:5.3.3:*:*:*:*:*:*:* OR cpe:/a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:* OR cpe:/a:ibm:spectrum_protect_for_space_management:8.1.7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:business_automation_workflow:21.0.3.1:*:*:*:traditional:*:*:* OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:* OR cpe:/a:ibm:business_automation_workflow:22.0.2:*:*:*:traditional:*:*:* Oval Definitions BACK
ibm atlas ediscovery process management 6.0.3
oracle weblogic server 12.2.1.3.0
oracle agile plm framework 9.3.6
oracle communications asap 7.3
oracle ilearning 6.2
ibm infosphere information server 11.7
oracle primavera unifier 17.12
oracle primavera unifier 18.8
ibm operational decision manager 8.10
ibm spectrum protect backup-archive client 8.1.0.0
ibm spectrum protect for virtual environments 8.1.0.0
ibm mobilefirst platform foundation 8.0.0.0
ibm spectrum protect for space management 8.1.9.0
ibm spectrum protect backup-archive client 8.1.9.0
ibm qradar security information and event manager 7.4 -
ibm log analysis 1.3.5.3
ibm log analysis 1.3.6.0
ibm log analysis 1.3.6.1
ibm sterling secure proxy 6.0.3
ibm business automation workflow 20.0.0.1
ibm business automation workflow 20.0.0.2
ibm business automation workflow 21.0.1
ibm case manager 5.3.3
ibm business automation workflow 22.0.1
ibm spectrum protect for space management 8.1.7.0
ibm business automation workflow 21.0.3.1
ibm app connect enterprise certified container 5.0
ibm business automation workflow 22.0.2
Denotes that component is vulnerable