Sat, 13 Apr 2024, /manikanta tikkisetty/:
Jdk bundle contains xalan 2.7.0 version as part of rt.jar . How can I
update xalan version to 2.7.3 to resolve vulnerability.
Looking at the publication date: 07/19/2022, and the "Known Affected
Software Configurations"
<https://nvd.nist.gov/vuln/detail/CVE-2022-34169#vulnConfigurationsArea>,
f.e.:
oracle:jdk:1.8.0:update333
oracle:jdk:11.0.15.1
oracle:jdk:17.0.3.1
Then JDK Releases for 2022-07-19 <https://www.java.com/releases/#18.0.2>:
18.0.2
17.0.4
11.0.16
8u341
7u351
Then the related "Risk Matrix"
<https://www.oracle.com/security-alerts/cpuJul2022.html#AppendixJAVA>:
CVE-2022-34169
Component: JAXP (Xalan-J)
Supported Versions Affected: Supported Versions Affected
Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle
GraalVM Enterprise Edition: 20.3.6, 21.3.2, 22.1.0
I hope this answers your original question – just use current JDK
version/patch.
--
Stanimir
