[jira] [Commented] (OOZIE-3663) Upgrade Apache Xerces Java to 2.12.2

Ashutosh Gupta (Jira) Tue, 31 May 2022 11:03:05 -0700


    [ 
https://issues.apache.org/jira/browse/OOZIE-3663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17544539#comment-17544539
 ]


Ashutosh Gupta commented on OOZIE-3663:
---------------------------------------

[~asalamon74], [~pj.fanning] - Can you please review? Thanks 

> Upgrade Apache Xerces Java to 2.12.2
> ------------------------------------
>
>                 Key: OOZIE-3663
>                 URL: https://issues.apache.org/jira/browse/OOZIE-3663
>             Project: Oozie
>          Issue Type: Improvement
>            Reporter: Ashutosh Gupta
>            Assignee: Ashutosh Gupta
>            Priority: Major
>         Attachments: OOZIE-3663-001.patch
>
>
> Description
> [https://github.com/advisories/GHSA-h65f-jvqw-m9fj]
> There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser 
> when handling specially crafted XML document payloads. This causes, the 
> XercesJ XML parser to wait in an infinite loop, which may sometimes consume 
> system resources for prolonged duration. This vulnerability is present within 
> XercesJ version 2.12.1 and the previous versions.
> References
> [https://nvd.nist.gov/vuln/detail/CVE-2022-23437]
> [https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl]
> [http://www.openwall.com/lists/oss-security/2022/01/24/3]
> [https://www.oracle.com/security-alerts/cpuapr2022.html]
> h4.  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (OOZIE-3663) Upgrade Apache Xerces Java to 2.12.2

Reply via email to