search cancel

CVE-2022-34169, CVE-2021-3517 and CVE-2021-35550 vulnerabilities

book

Article ID: 253966

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

Seen the CVE-2022-34169, CVE-2021-3517 and CVE-2021-35550 vulnerabilities in DevTest and need help resolving.

Vulnerabilities identify xalan 2.7.2 as vulnerability file but DevTest servers identify as rt.jar file in DevTest_Home/jre/lib folder.

Vulnerability : CVE-2022-34169

Details : Nexpose Enterprise Corp DAILY: Vulnerable OS: Red Hat Enterprise Linux 7.9    Vulnerable software installed: Oracle JRE 1.8.0.2

CVE Description : The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Scanner Information : ID: jre-vuln-cve-2022-34169-DevTest_Home/jre/lib/rt.jar

 

 

Environment

Release : 10.7.2

Resolution

Engineering provided a new xalan.2.7.2-patched.jar and applied it in Customer's Playground server and they were still seeing the vulnerability and engineering shared the new JRE and instructions to apply it also.

In this issue, we were looking the 3 vulnerabilities CVE-2022-34169, CVE-2021-3517 and CVE-2021-35550 and engineering shared the below information.
. CVE-2021-3517  -->  As per our analysis and scans we are not vulnerable to this.
. CVE-2021-35550 is medium and we don't see a fix in 8.x series considering the impact and risk this can be given a low priority for now
So there is only one vulnerability pending now which is CVE-2022-34169. This has 2 parts.
. Part1- Engineering shared xalan.2.7.2-patched.jar which you already applied.
. Part 2- of it would be to upgrade jre
 
Transunion applied the xalan-2.7.2-patched.jar earlier and I am not sure you have it or removed it in your environments. I will share the complete instructions for applying xalan-2.7.2-patched.jar and replace JRE.
 
Steps to apply the xalan-2.7.2-patched.jar
Step1: Stop all services
Step2: Remove xalan-2.7.2.jar and place xalan-2.7.2-patched.jar at the following location
- LisaHome/IdentityAccessManager/modules/system/layers/base/org/apache/xalan/main
- LisaHome/lib/endorsed
- LisaHome/webserver/phoenix/phoenix-10.7.2/WEB-INF/lib
- LisaHome/webserver/webapps/jasper-server/WEB-INF/lib
Step3: Start all services
 
Steps to replace Jre in RHEL/Centos
Step 1. Stop all the services
Step 2. Go to LISA_HOME/
Step 3. Rename jre folder to rename jre_default
Step 4. Extract the tar linux_jre.tar at downloaded location
Step 5. Copy the jre folder inside linux_jre
Step 6. Paste the copied jre folder to LISA_HOME/
Step 7. Start all the services 

Customer applied the recommended changes and they not seeing the 3 vulnerabilities  CVE-2022-34169, CVE-2021-3517 and CVE-2021-35550 but still seeing few more which are going to be looked in 33258622.

Additional Information

The patch also resolved the "No suitable Java" error when starting a DevTest service.