Seen the CVE-2022-34169, CVE-2021-3517 and CVE-2021-35550 vulnerabilities in DevTest and need help resolving.
Vulnerabilities identify xalan 2.7.2 as vulnerability file but DevTest servers identify as rt.jar file in DevTest_Home/jre/lib folder.
Vulnerability : CVE-2022-34169
Details : Nexpose Enterprise Corp DAILY: Vulnerable OS: Red Hat Enterprise Linux 7.9 Vulnerable software installed: Oracle JRE 184.108.40.206
CVE Description : The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Scanner Information : ID: jre-vuln-cve-2022-34169-DevTest_Home/jre/lib/rt.jar
Details: Deserialization of Untrusted Data: Vulnerable OS: Red Hat Enterprise Linux/Centos Vulnerable software installed:Java 1.8.0_232 OpenJDK
CVE Description: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from
the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
Release : 10.7.2
Engineering provided a new xalan.2.7.2-patched.jar and applied it in Customer's Playground server and they were still seeing the vulnerability and engineering shared the new JRE and instructions to apply it also.
In this issue, we were looking the 3 vulnerabilities CVE-2022-34169, CVE-2021-3517 and CVE-2021-35550 and engineering shared the below information.
. CVE-2021-3517 --> As per our analysis and scans we are not vulnerable to this.
. CVE-2021-35550 is medium and we don't see a fix in 8.x series considering the impact and risk this can be given a low priority for now
So there is only one vulnerability pending now which is CVE-2022-34169. This has 2 parts.
. Part1- Engineering shared xalan.2.7.2-patched.jar which you already applied.
. Part 2- of it would be to upgrade jre
Transunion applied the xalan-2.7.2-patched.jar earlier and I am not sure you have it or removed it in your environments. I will share the complete instructions for applying xalan-2.7.2-patched.jar and replace JRE.
Steps to apply the xalan-2.7.2-patched.jar
Step1: Stop all services
Step2: Remove xalan-2.7.2.jar and place xalan-2.7.2-patched.jar at the following location
Step3: Start all services
Steps to replace Jre in RHEL/Centos
Step 1. Stop all the services
Step 2. Go to LISA_HOME/
Step 3. Rename jre folder to rename jre_default
Step 4. Extract the tar linux_jre.tar at downloaded location
Step 5. Copy the jre folder inside linux_jre
Step 6. Paste the copied jre folder to LISA_HOME/
Step 7. Start all the services
Customer applied the recommended changes and they not seeing the 3 vulnerabilities CVE-2022-34169, CVE-2021-3517 and CVE-2021-35550 but still seeing few more which are going to be looked in 33258622.
The patch also resolved the "No suitable Java" error when starting a DevTest service.