Security update for xerces-j2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:0503-1 Final 1 1 2022-02-18T09:56:03Z current 2022-02-18T09:56:03Z 2022-02-18T09:56:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xerces-j2 This update for xerces-j2 fixes the following issues: - CVE-2022-23437: Fixed infinite loop within Apache XercesJ xml parser (bsc#1195108). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2022-503,openSUSE-SLE-15.4-2022-503 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U7E32672AADOJILNWAAKOTVLBYTBDBKD/ E-Mail link for openSUSE-SU-2022:0503-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1195108 SUSE Bug 1195108 https://www.suse.com/security/cve/CVE-2022-23437/ SUSE CVE CVE-2022-23437 page openSUSE Leap 15.3 xerces-j2-2.12.0-3.3.1 xerces-j2-demo-2.12.0-3.3.1 xerces-j2-javadoc-2.12.0-3.3.1 xerces-j2-2.12.0-3.3.1 as a component of openSUSE Leap 15.3 xerces-j2-demo-2.12.0-3.3.1 as a component of openSUSE Leap 15.3 xerces-j2-javadoc-2.12.0-3.3.1 as a component of openSUSE Leap 15.3 There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. CVE-2022-23437 openSUSE Leap 15.3:xerces-j2-2.12.0-3.3.1 openSUSE Leap 15.3:xerces-j2-demo-2.12.0-3.3.1 openSUSE Leap 15.3:xerces-j2-javadoc-2.12.0-3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U7E32672AADOJILNWAAKOTVLBYTBDBKD/ https://www.suse.com/security/cve/CVE-2022-23437.html CVE-2022-23437 https://bugzilla.suse.com/1195108 SUSE Bug 1195108 https://bugzilla.suse.com/1196394 SUSE Bug 1196394