Security update for xerces-j2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:0503-1 Final 1 1 2022-02-18T09:56:38Z current 2022-02-18T09:56:38Z 2022-02-18T09:56:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xerces-j2 This update for xerces-j2 fixes the following issues: - CVE-2022-23437: Fixed infinite loop within Apache XercesJ xml parser (bsc#1195108). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/kiwi:latest-2022-503,Container suse/manager/5.0/x86_64/server:latest-2022-503,Container suse/multi-linux-manager/5.1/x86_64/server:latest-2022-503,Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure-2022-503,Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM-2022-503,Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE-2022-503,Image SLES15-SP4-Manager-Server-4-3-2022-503,Image SLES15-SP4-Manager-Server-4-3-Azure-llc-2022-503,Image SLES15-SP4-Manager-Server-4-3-Azure-ltd-2022-503,Image SLES15-SP4-Manager-Server-4-3-BYOS-2022-503,Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure-2022-503,Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2-2022-503,Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE-2022-503,Image SLES15-SP4-Manager-Server-4-3-EC2-llc-2022-503,Image SLES15-SP4-Manager-Server-4-3-EC2-ltd-2022-503,Image server-image-2022-503,SUSE-2022-503,SUSE-SLE-Module-Basesystem-15-SP3-2022-503,SUSE-SLE-Module-Basesystem-15-SP4-2022-503,SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-503,SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-503,SUSE-SLE-Product-RT-15-SP2-2022-503,SUSE-SLE-Product-SLES-15-SP2-BCL-2022-503,SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-503,SUSE-SLE-Product-SLES_SAP-15-SP2-2022-503,SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-503,SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-503,SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-503,SUSE-Storage-7-2022-503 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20220503-1/ Link for SUSE-SU-2022:0503-1 https://lists.suse.com/pipermail/sle-security-updates/2022-February/010271.html E-Mail link for SUSE-SU-2022:0503-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1195108 SUSE Bug 1195108 https://www.suse.com/security/cve/CVE-2022-23437/ SUSE CVE CVE-2022-23437 page Container bci/kiwi:latest Container suse/manager/5.0/x86_64/server:latest Container suse/multi-linux-manager/5.1/x86_64/server:latest Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3 Image SLES15-SP4-Manager-Server-4-3-Azure-llc Image SLES15-SP4-Manager-Server-4-3-Azure-ltd Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3-EC2-llc Image SLES15-SP4-Manager-Server-4-3-EC2-ltd Image server-image SUSE Enterprise Storage 7 SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise Module for Basesystem 15 SP3 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP2-BCL SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1 xerces-j2-2.12.0-3.3.1 xerces-j2-demo-2.12.0-3.3.1 xerces-j2-javadoc-2.12.0-3.3.1 xerces-j2-2.12.0-3.3.1 as a component of Container bci/kiwi:latest xerces-j2-2.12.0-3.3.1 as a component of Container suse/manager/5.0/x86_64/server:latest xerces-j2-2.12.0-3.3.1 as a component of Container suse/multi-linux-manager/5.1/x86_64/server:latest xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3 xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-llc xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-ltd xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-EC2-llc xerces-j2-2.12.0-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-EC2-ltd xerces-j2-2.12.0-3.3.1 as a component of Image server-image xerces-j2-2.12.0-3.3.1 as a component of SUSE Enterprise Storage 7 xerces-j2-2.12.0-3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS xerces-j2-2.12.0-3.3.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS xerces-j2-2.12.0-3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP3 xerces-j2-2.12.0-3.3.1 as a component of SUSE Linux Enterprise Real Time 15 SP2 xerces-j2-2.12.0-3.3.1 as a component of SUSE Linux Enterprise Server 15 SP2-BCL xerces-j2-2.12.0-3.3.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS xerces-j2-2.12.0-3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 xerces-j2-2.12.0-3.3.1 as a component of SUSE Manager Proxy 4.1 xerces-j2-2.12.0-3.3.1 as a component of SUSE Manager Retail Branch Server 4.1 xerces-j2-2.12.0-3.3.1 as a component of SUSE Manager Server 4.1 There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. CVE-2022-23437 Container bci/kiwi:latest:xerces-j2-2.12.0-3.3.1 Container suse/manager/5.0/x86_64/server:latest:xerces-j2-2.12.0-3.3.1 Container suse/multi-linux-manager/5.1/x86_64/server:latest:xerces-j2-2.12.0-3.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:xerces-j2-2.12.0-3.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM:xerces-j2-2.12.0-3.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE:xerces-j2-2.12.0-3.3.1 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:xerces-j2-2.12.0-3.3.1 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:xerces-j2-2.12.0-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:xerces-j2-2.12.0-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:xerces-j2-2.12.0-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:xerces-j2-2.12.0-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:xerces-j2-2.12.0-3.3.1 Image SLES15-SP4-Manager-Server-4-3-EC2-llc:xerces-j2-2.12.0-3.3.1 Image SLES15-SP4-Manager-Server-4-3-EC2-ltd:xerces-j2-2.12.0-3.3.1 Image SLES15-SP4-Manager-Server-4-3:xerces-j2-2.12.0-3.3.1 Image server-image:xerces-j2-2.12.0-3.3.1 SUSE Enterprise Storage 7:xerces-j2-2.12.0-3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS:xerces-j2-2.12.0-3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xerces-j2-2.12.0-3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:xerces-j2-2.12.0-3.3.1 SUSE Linux Enterprise Real Time 15 SP2:xerces-j2-2.12.0-3.3.1 SUSE Linux Enterprise Server 15 SP2-BCL:xerces-j2-2.12.0-3.3.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xerces-j2-2.12.0-3.3.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xerces-j2-2.12.0-3.3.1 SUSE Manager Proxy 4.1:xerces-j2-2.12.0-3.3.1 SUSE Manager Retail Branch Server 4.1:xerces-j2-2.12.0-3.3.1 SUSE Manager Server 4.1:xerces-j2-2.12.0-3.3.1 important 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20220503-1/ https://www.suse.com/security/cve/CVE-2022-23437.html CVE-2022-23437 https://bugzilla.suse.com/1195108 SUSE Bug 1195108 https://bugzilla.suse.com/1196394 SUSE Bug 1196394