Return
-
Title
Apache Xalan Java XSLT library integer truncation vulnerability (CVE-2022-34169) -
Description
A security scan identified the following vulnerability for Apache Xalan Java XSLT library in the Foglight installation:
CVE-2022-34169
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. -
Cause
The file flagged with this vulnerability is:
[FMS_HOME]/server/core/xalan.jar
This file does contain Apache Xalan Java XSLT library version 2.7.2, which is referenced in the vulnerability report for CVE-2022-34169 . -
Resolution
Foglight has removed this dependency in Foglight version 6.3.0 already available for download from the Support Portal .